Malware Analysis Report

2024-11-30 23:17

Sample ID 241111-f7c1bsthqh
Target d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32
SHA256 d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32

Threat Level: Known bad

The file d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Healer

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:30

Reported

2024-11-11 05:33

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe
PID 2920 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe
PID 2920 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe
PID 972 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe
PID 972 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe
PID 972 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe
PID 3656 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe
PID 3656 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe
PID 3656 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe
PID 2684 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe
PID 2684 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe
PID 2684 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe
PID 1984 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe
PID 1984 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe
PID 1984 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe
PID 1984 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe
PID 1984 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe

"C:\Users\Admin\AppData\Local\Temp\d576dc80ce716853427938907daf18bdcc81378400bf170bb7bd64149aeb1e32.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVG21Im84.exe

MD5 6098322f174bde317437c536f5585368
SHA1 edc4188f6bf6f7622fe25448978362fe1357ca78
SHA256 8972625e6dc6990e28a6851822a449172e7658a26243d199f68e71bbda3d123e
SHA512 d2bce279dc111f4587c10fe2729e0f7c705d2508e0cf3959640f9c1aa1812dd98810f353135e127a7215352a58664ea5ed3c49151bcae5216dc33c6af0b88cf1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sbW26ql22.exe

MD5 f85a411d807576cf092837b66b116ac3
SHA1 b805803379661ee45a2d370a7b8c44bda589d3e8
SHA256 cbe2bc9ba71537789e16d6660099e13cb88c496fa46e322573db32b5ecf4bedc
SHA512 522d233badd7a7c1f60852ad0cc949976b18670bdf361329b5db14d306dd277bb6e0359fe09c5dd77d1285d21cc7ec91ee5c39882389ca90114826d84c112763

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sbu33Im61.exe

MD5 94423609eb5a78590a7e78ca8493ab98
SHA1 c8c51e0956b23395b6acd72a5053a9ef80aebb6a
SHA256 d6c6e16d83fe77c10b8682d575449cffab10b9d8ba66a4bea9a907a4221a31af
SHA512 83da0091f4ffe250a2b77ea853b1c9ca927251aa6253bc766b9634fbbbb93c2032824afdb0ccfc454dee7b276c51f1650d24422af7442b8eac1080d00906f2e5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sDa63SW89.exe

MD5 dbcac4ee3e2af0c6ad285dd8cab1cda0
SHA1 5021755539081902431f64b5299fecdbec27dab6
SHA256 019dbd9d702ba17b0cb338464d9291c911b92e5ecef313e10cfc2937b25c527d
SHA512 c3d5553337aad8738949e6e82c63b5ae8e958016c984311531f423cbd705c048ed7b6acf3b1c391b9be4536e0dc893cc02df56374ba56b267e89f4af70ef128e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iWi51Cr.exe

MD5 8eee712d19bc51693392849d396c050c
SHA1 1319567429a160bb2fcf44751f93451769970d2b
SHA256 ae51c96b2fc1624350c87da82fa3cb54ce2321304611ccd44af6dea6531b35f5
SHA512 8a8e9f01b18ba689dc7e4ace3901fee0832eb92b39c628fc9d3c4f2b9d3034958c718bb6f36fb0d8f2c892f5917bc8fab43237f3113d437ded219f8a1377ae3b

memory/1912-35-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ktI25iS.exe

MD5 231430e854c098688aa6848702c5018e
SHA1 46a9be0ad282ff66b7de6586c6cf86ff5057651d
SHA256 c2c7ced4db7b7a5eb5960c2d518179b7798494fe893b5bb22c756a811460cdf9
SHA512 202a0ec01cdd18613c8fb423418ec0abf3382f2ea8d957c287324c23d083a7ab61fb5207c0e9c3bfb421a58f821daf81506e2ecb4d08fa2cfa993587e1e44217

memory/5044-41-0x0000000002790000-0x00000000027D6000-memory.dmp

memory/5044-42-0x0000000004D10000-0x00000000052B4000-memory.dmp

memory/5044-43-0x0000000004B80000-0x0000000004BC4000-memory.dmp

memory/5044-53-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-55-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-107-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-105-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-103-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-101-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-97-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-95-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-93-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-91-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-89-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-87-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-85-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-81-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-79-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-77-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-75-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-73-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-71-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-67-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-65-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-63-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-61-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-60-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-57-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-51-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-49-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-47-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-99-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-83-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-69-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-45-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-44-0x0000000004B80000-0x0000000004BBF000-memory.dmp

memory/5044-950-0x00000000052C0000-0x00000000058D8000-memory.dmp

memory/5044-951-0x00000000058E0000-0x00000000059EA000-memory.dmp

memory/5044-952-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/5044-953-0x00000000059F0000-0x0000000005A2C000-memory.dmp

memory/5044-954-0x0000000005B30000-0x0000000005B7C000-memory.dmp