Malware Analysis Report

2024-12-07 03:57

Sample ID 241113-qn7eyawkhm
Target 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe
SHA256 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0
Tags
healer redline rouch discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0

Threat Level: Known bad

The file 7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rouch discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 13:25

Reported

2024-11-13 13:27

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe
PID 2912 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe
PID 2912 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe
PID 4196 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe
PID 4196 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe
PID 4196 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe
PID 3064 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe
PID 3064 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe
PID 3064 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe
PID 372 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe
PID 372 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe
PID 372 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe
PID 372 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe
PID 372 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe

"C:\Users\Admin\AppData\Local\Temp\7ff164f6d9a8c6c4c16036fc1b5dee60ce8feb08cf4147300d1c340155aa55d0.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plQj03VQ37.exe

MD5 a80adfefab4b196c3b5f98505c3937c5
SHA1 6e34307edbbf4d3935674fe5255a37222a776445
SHA256 b479c94cc9f947d24a0f3ba7781be802c6227db9c0191daa9be7f957986761e4
SHA512 eeee51ea4d7800282550a9ef75fb6cb402a6225b34e43511e6a8128435eea4bc3e57e76109518198cb5a4ec3f56fc4185c70e62805cc3482942f62a4a49b1da5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plkz35SO10.exe

MD5 d65bb58147d325d09cc6bd41ce7ac921
SHA1 0f6412520a0e79b9ec1b850559a3c0f3d9a016ec
SHA256 425dbf9332067e96a75f005275f2833f0ac64d569d7e2a423b88bb3ce00c8528
SHA512 dfc913b966ab1f64d6412f39635a145832597652ec88fad0860fea0f3a845104a478e75eabba1b44471b65ba6e8f144eb8e4be329243a16e1f32c3a8712bd913

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEt55fG57.exe

MD5 a4eca6e9bfdb86685646cbe06ba0350d
SHA1 811d81d2adfaad8e1cccaf297a7bbabe90534fd7
SHA256 72f120aa64a04495a899c675c0c93ed9fd01766519f2a528d6fff3da30671b99
SHA512 4a25a32710cb2a8b5d163a52fc8535aafe3ec49883ac9cafd1a4503c9d7bfcd52d737a37c5c3ad6b95845a76b9a5b649b6dfc49f779e38279a87bd7ef834321f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budM97gi40.exe

MD5 99e424546741eea90b6534de55068b27
SHA1 fca6fd344b3a70ca90f124720796057466eff1dd
SHA256 a4460ec4a7b91f662927f98ce5e972d2d5feecb806f99ec94b44b7c1a2745035
SHA512 3235e7d02f92c8f660bf6a3746622bd50038973512b0d53927d016a908c39ec479e7e20e9a49eabd3a861f25fc9c064089b3562a7a17ab179a04f83101f003a7

memory/760-28-0x0000000000660000-0x000000000066A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\casv44Ni50.exe

MD5 6940451e769c094029427d1531775121
SHA1 03c763ca8ebc6896fb35c9f8d4d3fc64d03fe850
SHA256 ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca
SHA512 53578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06

memory/5020-34-0x00000000025D0000-0x0000000002616000-memory.dmp

memory/5020-35-0x0000000004C50000-0x00000000051F4000-memory.dmp

memory/5020-36-0x0000000004B90000-0x0000000004BD4000-memory.dmp

memory/5020-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-96-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-37-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-100-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-98-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-94-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-92-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-90-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/5020-943-0x0000000005200000-0x0000000005818000-memory.dmp

memory/5020-944-0x0000000005860000-0x000000000596A000-memory.dmp

memory/5020-945-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/5020-946-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

memory/5020-947-0x0000000005B10000-0x0000000005B5C000-memory.dmp