Malware Analysis Report

2024-12-07 03:56

Sample ID 241113-ptjqdsvqcn
Target 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe
SHA256 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248

Threat Level: Known bad

The file 3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:37

Reported

2024-11-13 12:39

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe

"C:\Users\Admin\AppData\Local\Temp\3070f5e988f410ec96b8a7b0daeee554db6ff8ffc90870bb28557dcb59507248.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3876 -ip 3876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro7386.exe

MD5 ff3bc552737a47c16c36f3511b9b0c93
SHA1 50a65a98e62931422cc0c5a08cd1647f092f2f92
SHA256 3ce75c5275201122e95a92a2937ca7a98f828dad2a0e3e7d12d5f53b7c2b8d6d
SHA512 e3dcec77eb9a57b5aa39aff2501ba97d1ab2d675efbcc3a7bf4b74fca1e25d7de4ef8674143ea28329f5390bbeb784e9704b7f049ff3d05f9c573b0492eafaea

memory/3876-8-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/3876-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3876-10-0x0000000000400000-0x00000000007FE000-memory.dmp

memory/3876-11-0x0000000000400000-0x00000000007FE000-memory.dmp

memory/3876-12-0x0000000002520000-0x000000000253A000-memory.dmp

memory/3876-13-0x0000000004FC0000-0x0000000005564000-memory.dmp

memory/3876-14-0x0000000002960000-0x0000000002978000-memory.dmp

memory/3876-18-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-40-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-38-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-36-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-34-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-32-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-31-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-28-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-26-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-24-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-22-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-21-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-16-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-15-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-42-0x0000000002960000-0x0000000002972000-memory.dmp

memory/3876-43-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/3876-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3876-47-0x0000000000400000-0x00000000007FE000-memory.dmp

memory/3876-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu8627.exe

MD5 1861f1299a87f43f91590ba62aaaeb6a
SHA1 c82069209d27dd7388f8d008b5954b6621a6d84f
SHA256 9b0d8e1b89988746776afa9de5aa3087e181e5b8c08e50ede88df82f116fe653
SHA512 ca0396533a8933b7d7e98a9a1a85c64e163f7e789ec861627db70d1bbcf6cf239854ef3f287158f11e65866c7347da47f6b863a7d4b7b31df6be70b2e9288c34

memory/4964-54-0x00000000029A0000-0x00000000029E6000-memory.dmp

memory/4964-56-0x0000000004DE0000-0x0000000004E24000-memory.dmp

memory/4964-55-0x0000000000400000-0x000000000080C000-memory.dmp

memory/4964-53-0x0000000000400000-0x000000000080C000-memory.dmp

memory/4964-88-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-90-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-86-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-84-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-82-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-80-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-78-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-76-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-74-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-72-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-70-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-68-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-66-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-64-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-62-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-60-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-58-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-57-0x0000000004DE0000-0x0000000004E1F000-memory.dmp

memory/4964-963-0x00000000054D0000-0x0000000005AE8000-memory.dmp

memory/4964-964-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

memory/4964-965-0x0000000005C20000-0x0000000005C32000-memory.dmp

memory/4964-966-0x0000000005C40000-0x0000000005C7C000-memory.dmp

memory/4964-967-0x0000000005D90000-0x0000000005DDC000-memory.dmp