Malware Analysis Report

2024-12-07 03:57

Sample ID 241113-qp8z6asgrp
Target a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe
SHA256 a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990
Tags
healer redline rosto discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990

Threat Level: Known bad

The file a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosto discovery dropper evasion infostealer persistence trojan

Healer

Redline family

Healer family

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 13:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 13:27

Reported

2024-11-13 13:29

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe
PID 2200 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe
PID 2200 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe
PID 3016 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe
PID 3016 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe
PID 3016 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe
PID 3016 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe

"C:\Users\Admin\AppData\Local\Temp\a3f93590ea33b8d8b791eb0b8eb1fd5efa1c5421ee97455229fd1b57b8249990.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2416 -ip 2416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycQe35NY24.exe

MD5 34757e3987e309cacc2de20c779c8882
SHA1 722779fd9fc3c9537f24edf2649a0ffb0f04226e
SHA256 aeecff4baaec1747c853d61dada09816f2c288a1af55c9914699368498a56fbd
SHA512 fb65ca6422adb0c17c642716a021d246edf0e70b3c2c764262a0d52315d314cdfb818a91f6805cce6321daf45fa96b93e762002000e936b71aa476a017a4b5be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uruv89rX84.exe

MD5 99a158cf8893ed9ba9f95c8a8d305f7e
SHA1 d93e3ec8b044006faf4648bc20550bb9f84206b3
SHA256 9fcfc396efbaacf64160dd22e4942aa2113e023c43e0aa5a31fad0183c0602b0
SHA512 b78c00ef8def2849d36dc37af1cf624e71d2bdf1da71dcb19005dedbe6d4e5b6ae0663a232583c019a976ac903f1d953c7085beab57c64b5266242c7aabf4122

memory/2416-15-0x0000000000820000-0x0000000000920000-memory.dmp

memory/2416-16-0x0000000000650000-0x000000000067D000-memory.dmp

memory/2416-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2416-18-0x0000000000400000-0x000000000057E000-memory.dmp

memory/2416-19-0x0000000002200000-0x000000000221A000-memory.dmp

memory/2416-20-0x0000000004C10000-0x00000000051B4000-memory.dmp

memory/2416-21-0x00000000023B0000-0x00000000023C8000-memory.dmp

memory/2416-22-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-23-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-49-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-47-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-45-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-43-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-41-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-39-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-37-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-35-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-33-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-31-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-29-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-27-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-25-0x00000000023B0000-0x00000000023C2000-memory.dmp

memory/2416-50-0x0000000000820000-0x0000000000920000-memory.dmp

memory/2416-51-0x0000000000650000-0x000000000067D000-memory.dmp

memory/2416-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2416-55-0x0000000000400000-0x000000000057E000-memory.dmp

memory/2416-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrKI11Pb35.exe

MD5 5219e8f0103dcdc1edfc06a291fa3dc5
SHA1 176526bf4ebef1bfcf7cf535ae8707739e8b94ef
SHA256 79e9c0528a3deef77dc8e379e8d4d889ecabd5cf04e1d6756f92ca55c13f4a7d
SHA512 445da5e0a94d36dd96da459d028d706ed5067f4b95f30708d44daeeea933f01f42999f51cd1a889a73173e43924b1957e8259834dd5327c3b0d7baf4b1edbbf6

memory/4776-61-0x0000000002260000-0x00000000022A6000-memory.dmp

memory/4776-62-0x0000000002560000-0x00000000025A4000-memory.dmp

memory/4776-64-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-76-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-96-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-94-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-92-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-90-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-88-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-86-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-84-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-82-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-78-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-74-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-72-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-70-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-68-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-66-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-80-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-63-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4776-969-0x0000000005280000-0x0000000005898000-memory.dmp

memory/4776-970-0x00000000058A0000-0x00000000059AA000-memory.dmp

memory/4776-971-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4776-972-0x00000000059D0000-0x0000000005A0C000-memory.dmp

memory/4776-973-0x0000000005B10000-0x0000000005B5C000-memory.dmp