Malware Analysis Report

2024-11-30 23:16

Sample ID 241111-h3lg1swbnd
Target da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
SHA256 da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e

Threat Level: Known bad

The file da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

RedLine

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 07:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 07:15

Reported

2024-11-11 07:18

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
PID 4904 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
PID 4904 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe
PID 1376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
PID 1376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
PID 1376 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe
PID 2948 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
PID 2948 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
PID 2948 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe
PID 3916 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
PID 3916 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe
PID 3916 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
PID 3916 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe
PID 3916 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe

"C:\Users\Admin\AppData\Local\Temp\da7ea5bbdbda4355c08dee33105a2577f239cb3cf44a0a45a7a2f2d90e1e5c2e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sMd69eR69.exe

MD5 48d76ba7eba9fe36abfdcf0eb805d4e6
SHA1 50290672b453e591c60754011b3651ed80acee6a
SHA256 98f0908162a9ff04724af618b89f18f372c516aa308bc45a960cfd5732a319a3
SHA512 6959d0c37e5da7b7f26d827a8b51972a901a1f8262a5b4f5af485fe10b4e1cfe57d2c17b6c2b84e8cd8282ddfbc8d673ef5c5b82b3fa2ec34ccc2bc9aca3e029

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seR20tx67.exe

MD5 011f572cd01040ae90f4c2bec985279e
SHA1 53b48ee92c94b118051ae561091cf3f09445e5a2
SHA256 88feb9c9fefc90e4e5692cbe903f14acf18d2abc3811a7cbe1c22634b83c3021
SHA512 198edfebf162d32c88f58eb1dd415110fed01655164e6e195a2b1ec7863a7d300ca04ff3cbac7b96f0abef9e31304b4f68479d909a93ca311ba6bc2f6fb9d4f5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\shQ07NY07.exe

MD5 24c66ce9bd9f1848461d318aaa2965d1
SHA1 e1654fb970dd38239f22aa980faf5db20fe6ac31
SHA256 651f812f9cdeed77d6a0078fdc425a036ef00dff1b452da53683b048522c2b33
SHA512 263841ddd5975ee6229469db9e59e3a50523b4bb2d4c8bf8350fc8e614a288440103176b8321b9fc582a020e8ad4eff28496aa0d92e8fecb7c584c3f321ab92c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iTc67ii.exe

MD5 96bc4aa13190b64dbac933e84b3755bf
SHA1 02eea495c0471e5bf620fcbb1e7236a9af6884d7
SHA256 813d515b4bf61ca4ec78dcca4ec5881d170f40fec4ba94dd6126b693f1f24a1a
SHA512 12e9eeb9a8b44a71e84d962072d6a19a2cee2b115299eab8378ef822fd933faaf97f606b4c5febe059a5c9d81d75aa331ee591fc2bb2d69fc2dd4d3fd5868fc8

memory/4560-28-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ket87DV.exe

MD5 a6adc2e80b48f93ba7b7a58f2465d794
SHA1 f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a
SHA256 a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4
SHA512 ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41

memory/2860-34-0x0000000004B80000-0x0000000004BC6000-memory.dmp

memory/2860-35-0x00000000072F0000-0x0000000007894000-memory.dmp

memory/2860-36-0x00000000071C0000-0x0000000007204000-memory.dmp

memory/2860-48-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-54-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-100-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-98-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-97-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-94-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-93-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-90-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-88-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-86-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-84-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-82-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-78-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-76-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-74-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-72-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-71-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-68-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-64-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-63-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-60-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-58-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-56-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-52-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-50-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-46-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-44-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-80-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-66-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-42-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-40-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-38-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-37-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/2860-943-0x00000000078A0000-0x0000000007EB8000-memory.dmp

memory/2860-944-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

memory/2860-945-0x0000000007FD0000-0x0000000007FE2000-memory.dmp

memory/2860-946-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/2860-947-0x0000000008130000-0x000000000817C000-memory.dmp