Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-chynysxbmq
Target 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3
SHA256 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3

Threat Level: Known bad

The file 2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:05

Reported

2024-11-10 02:07

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe
PID 2512 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe
PID 2512 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe
PID 3936 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe
PID 3936 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe
PID 3936 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe
PID 3936 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe
PID 3936 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe
PID 3936 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe

"C:\Users\Admin\AppData\Local\Temp\2dd3cd6cb382602eea9e0526c49a9b91d127aa2bdac315ec216bec6e6b83e0c3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8614845.exe

MD5 b4c43a1e60e00e171ca62e619db2535b
SHA1 8e9fa77173df4d83d779cfd78015072ce8514aaf
SHA256 4023883d1c7ff4edc7598924065033f3ca86a465e54259efbdc6751d5de14f5a
SHA512 28f23dfb2bd16258e0ec2f34eec3e146f0b87a35909b73b1a23ab0a2fdb4dd31bfcbf1648d3201d1adbe7c2b9b90e047705a95141ad45c9348b7af84626ad7ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3605247.exe

MD5 debf3046e1cd137d50c54602f9c82451
SHA1 9443adf1fdc055c629650638aa43cdce5d0c2258
SHA256 28c5bb5bbe53c2c791e175a2647e55b5660d95fb530d774502cd13130f46512b
SHA512 e1b1c9b3b3600a808448100d94f3e0618c97b2eff92472efe122d378d5b030b10b4d6b5cce11bb7107e944f0ae2c973544fb245985c210a670e906e0455dff80

memory/2424-14-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

memory/2424-15-0x00000000020A0000-0x00000000020BA000-memory.dmp

memory/2424-16-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2424-17-0x0000000004BE0000-0x0000000005184000-memory.dmp

memory/2424-18-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2424-19-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2424-20-0x00000000023A0000-0x00000000023B8000-memory.dmp

memory/2424-42-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-48-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-46-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-44-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-40-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-38-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-36-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-34-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-32-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-30-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-28-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-26-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-24-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-22-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-21-0x00000000023A0000-0x00000000023B2000-memory.dmp

memory/2424-49-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

memory/2424-50-0x0000000073E80000-0x0000000074630000-memory.dmp

memory/2424-52-0x0000000073E80000-0x0000000074630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8687869.exe

MD5 e01341871106094e8cdf0f49c7800369
SHA1 6d2c17a7ff9037f4e0834998946f29b59fb2bf18
SHA256 1627fba719a0532e9de3309a3d08e01378f87ad934cb78c16d6ebf9ee8e0a0a7
SHA512 a1fb562757d8956983aea2e06f2ede71b978a24dc5afe56ded11e4ca372da3750e130a807572c5094688a7ffec450248e3bc7ea3cf4106f49453e7c39d42b9b5

memory/4880-56-0x00000000007B0000-0x00000000007D8000-memory.dmp

memory/4880-57-0x0000000007BC0000-0x00000000081D8000-memory.dmp

memory/4880-58-0x0000000007650000-0x0000000007662000-memory.dmp

memory/4880-59-0x0000000007780000-0x000000000788A000-memory.dmp

memory/4880-60-0x00000000076E0000-0x000000000771C000-memory.dmp

memory/4880-61-0x0000000007720000-0x000000000776C000-memory.dmp