Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-r66rsstkcy
Target 23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe
SHA256 23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085

Threat Level: Known bad

The file 23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Healer

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:49

Reported

2024-11-13 14:51

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe
PID 1800 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe
PID 1800 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe
PID 712 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe
PID 712 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe
PID 712 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe
PID 712 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe
PID 712 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe
PID 1800 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe
PID 1800 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe
PID 1800 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe

"C:\Users\Admin\AppData\Local\Temp\23033c47b77272a35e81582e2b2ed02ea2ac249e441f09464e6bacf1294f3085N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3966.exe

MD5 e7487ac288caedf3524888470a1e5f40
SHA1 a3e727a478bbcfc56423b5a4c0c644489fb01ea5
SHA256 f44ce0284c1cfc8cc9b1d1cd7002595b76ec4a86ecad73a680533503d3b6919f
SHA512 bd6639923dcb17392996c38d5ba4ca63e9ef3d370f1770a1b6a663109ef691d3766ad5d9497a427072dc2bf82e0df96929d3467ddb90add2c3e724397cc6f199

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tz3087.exe

MD5 14a78ce221fe8260ea11839b96260d7a
SHA1 170b71519031db5813d26c050c08e228d0993971
SHA256 bff201e862ffe1aab4b8349062bdf7a4fb094588b458de08a4239351d8c910c4
SHA512 f66db240612684a84fc0c5a487b0fb87218e40066d39a1a4b9ea0390ee251522b2061d1b17bfbef944f1d352f3d78b68d75eff0c09f11039c2f45084b35656b3

memory/1152-14-0x00007FFBC4013000-0x00007FFBC4015000-memory.dmp

memory/1152-15-0x0000000000700000-0x000000000070A000-memory.dmp

memory/1152-16-0x00007FFBC4013000-0x00007FFBC4015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5926iw.exe

MD5 86fc44715347be12995d8903097c5195
SHA1 c7dac1af2fe80e70924d1a694e064680241cd1bd
SHA256 cd055916bc7b414aacfec35d7977c36db842e7ada48911ec854e6bd9cc28c684
SHA512 fcf1097da3c8d7a3ea01b0f0618c7d6edbbf78648dafb0ca879621d2c1f05ed4daa787e84a90613a9e3d0b789691c96757d8791128a8466310b401f0399fdaec

memory/2136-22-0x00000000071A0000-0x00000000071BA000-memory.dmp

memory/2136-23-0x0000000007200000-0x00000000077A4000-memory.dmp

memory/2136-24-0x0000000007810000-0x0000000007828000-memory.dmp

memory/2136-25-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-32-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-52-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-50-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-48-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-46-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-44-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-42-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-40-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-38-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-36-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-34-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-30-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-28-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-26-0x0000000007810000-0x0000000007822000-memory.dmp

memory/2136-53-0x0000000000400000-0x0000000002B78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w33bz09.exe

MD5 635b2441ece8cc75179c0281e75fc38f
SHA1 03c3a4775c94427213b013231df29caf527dfd6e
SHA256 eafc4e3672d25fef305142356ec782830202b86a0845948551cbc287a6db30e2
SHA512 a86b14a9b1b70deba94ec313f5b22ac30a241d2e65e517713b991bcaa36b7537d2c5570aed5113ad4fb2af6849afcff4856ea9e45144211432af4364afab7915

memory/2136-55-0x0000000000400000-0x0000000002B78000-memory.dmp

memory/3752-60-0x0000000004A50000-0x0000000004A96000-memory.dmp

memory/3752-61-0x00000000077C0000-0x0000000007804000-memory.dmp

memory/3752-95-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-93-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-91-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-89-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-87-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-85-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-83-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-81-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-79-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-77-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-75-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-73-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-71-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-69-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-67-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-65-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-63-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-62-0x00000000077C0000-0x00000000077FF000-memory.dmp

memory/3752-968-0x0000000007800000-0x0000000007E18000-memory.dmp

memory/3752-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/3752-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/3752-971-0x00000000080C0000-0x00000000080FC000-memory.dmp

memory/3752-972-0x0000000008110000-0x000000000815C000-memory.dmp