Malware Analysis Report

2024-12-06 02:56

Sample ID 241110-cjj7ysxbpl
Target 5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb
SHA256 5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb

Threat Level: Known bad

The file 5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Healer family

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:06

Reported

2024-11-10 02:08

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe

"C:\Users\Admin\AppData\Local\Temp\5b702cd9371401c56e25cbb36a55e08aa5490653a961679f6243780da56fa0eb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTr3438.exe

MD5 919ce246648faad27263281f9de19d9c
SHA1 aab9a7a89afcd91dab012be6fdc4a58e5ccd9004
SHA256 5c1ab1bf3050c45fa3799aaaa96070923fd7815d9b1fd278f2aa3c94c3e0f057
SHA512 4fff470d24a2659ccae9d5ee3bd70f55082656b2291a968a2d1de64c6767b36ef3cee32c17e14d5349c68b418426b8b8384a517b3bc0295886a77873997113e9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr354897.exe

MD5 ee3cd6f82b4479ebf9322653a5307243
SHA1 23a2fb6a9a65e1b306c52ed377f037f743453f9d
SHA256 9806fa5b6a4a2e57aa9db82eac0d9efdab32fca014c195fd3fd19e06331489bd
SHA512 f2f71c505a589801ce8569f904a520be85158ea5505e7640c3f31ebf0b0cd0c5159a51b6169d8b16e68d900eb406ee244be2879ada3783a96dfd4395bc4e122b

memory/380-14-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

memory/380-15-0x00000000000A0000-0x00000000000AA000-memory.dmp

memory/380-16-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku819944.exe

MD5 63aeb4600233cf896c37827e80912729
SHA1 93b29d5aadc287e416927db8937aabf543b96fac
SHA256 a8baff8465e0b4d12fc1c05c4467818192e046e3fc28c914e4808d1bc09ddff9
SHA512 85bd4d493fcbeae58c3cbf9f399c7507becbd28fd53b97da6ce4af884a2aff8f89c9211fdf2e9cea678246e18924f85c6310f07c68c9b51cdccd6215d6309a3d

memory/4512-22-0x00000000027E0000-0x0000000002826000-memory.dmp

memory/4512-23-0x0000000004E50000-0x00000000053F4000-memory.dmp

memory/4512-24-0x0000000005440000-0x0000000005484000-memory.dmp

memory/4512-26-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-42-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-88-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-86-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-85-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-82-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-80-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-78-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-76-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-72-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-70-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-68-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-66-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-64-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-62-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-60-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-58-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-54-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-53-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-50-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-48-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-46-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-45-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-40-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-39-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-36-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-34-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-32-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-28-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-74-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-56-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-30-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-25-0x0000000005440000-0x000000000547F000-memory.dmp

memory/4512-931-0x0000000005480000-0x0000000005A98000-memory.dmp

memory/4512-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

memory/4512-933-0x0000000005C30000-0x0000000005C42000-memory.dmp

memory/4512-934-0x0000000005C50000-0x0000000005C8C000-memory.dmp

memory/4512-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp