Malware Analysis Report

2024-12-07 03:50

Sample ID 241113-qnpvwswkgk
Target dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe
SHA256 dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74

Threat Level: Known bad

The file dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

RedLine payload

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 13:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 13:24

Reported

2024-11-13 13:26

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu0895.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu0895.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu0895.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe

"C:\Users\Admin\AppData\Local\Temp\dd319a7682cd5747d0fb48aa3adde8a47589e504e617ee6080913be43ab93d74.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu0895.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu0895.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro5861.exe

MD5 46d38f1c33a1193e63c128b0d4d07a19
SHA1 0cbc44f56b7f25a085de60aae3486e72feba77fe
SHA256 9612222c4af797c3792caeb4456d8d121a37fbe5599c196b5d450402e7bb6703
SHA512 31890bb5e2a4b16c6c5a1100bc62e446647a0ab9f6666d286456c1bea2fd4aa1015bbd806e41f87730afcce2dce582b373d1a2e43ca4a00da4851c8f9c9ea9b7

memory/4480-8-0x0000000000820000-0x0000000000920000-memory.dmp

memory/4480-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4480-9-0x0000000000610000-0x000000000063D000-memory.dmp

memory/4480-11-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/4480-12-0x0000000002280000-0x000000000229A000-memory.dmp

memory/4480-13-0x0000000004C20000-0x00000000051C4000-memory.dmp

memory/4480-14-0x0000000004A70000-0x0000000004A88000-memory.dmp

memory/4480-42-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-41-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-39-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-36-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-34-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-32-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-30-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-28-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-26-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-25-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-22-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-20-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-18-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-16-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-15-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/4480-43-0x0000000000820000-0x0000000000920000-memory.dmp

memory/4480-44-0x0000000000610000-0x000000000063D000-memory.dmp

memory/4480-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4480-48-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/4480-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu0895.exe

MD5 6db23d60021ee6b1576e28c2f42b55fd
SHA1 7859632cdfa67ba82192b993cd4e1879308a8c4a
SHA256 83476ab8f1a91479a2f74a554af0e6b27c3cd0a4a48c8d6d4273a82917b5629b
SHA512 a7365f60da8396228c1b50728ece6814df0d0269700c72785872816c5fbb77e9377a8530aa070f012129ec7d03c0c8687cbe8f357eebb9841ff97da48cd1d503

memory/1504-54-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1504-55-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1504-57-0x00000000023D0000-0x0000000002416000-memory.dmp

memory/1504-56-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1504-58-0x0000000004A90000-0x0000000004AD4000-memory.dmp

memory/1504-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-92-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-90-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-60-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-59-0x0000000004A90000-0x0000000004ACF000-memory.dmp

memory/1504-965-0x0000000005210000-0x0000000005828000-memory.dmp

memory/1504-966-0x0000000005830000-0x000000000593A000-memory.dmp

memory/1504-967-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

memory/1504-968-0x0000000004C00000-0x0000000004C3C000-memory.dmp

memory/1504-969-0x0000000005A40000-0x0000000005A8C000-memory.dmp