Malware Analysis Report

2024-12-07 04:00

Sample ID 241113-rdv5latcpl
Target c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe
SHA256 c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753
Tags
healer redline boris discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753

Threat Level: Known bad

The file c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline boris discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Healer

Detects Healer an antivirus disabler dropper

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:05

Reported

2024-11-13 14:07

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe

"C:\Users\Admin\AppData\Local\Temp\c14a70e0f165972bafd04bb050eb20b6e9431c2f74c159c32fb1a64983108753N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp
RU 193.233.20.32:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro1629.exe

MD5 ef89f39ad4846a105411b50c01be86af
SHA1 520fce06b71635d922166c3ae60fd2c77b3724a6
SHA256 2350662762be2ad7f36d066e28efb3493ce732f15585fd63c84ba73db0ad45f6
SHA512 57ee6f141cc7ff0175cce35bf3224df319dad6efb8727378b50e9d73647a6534db5e1284488fe308cec5ad24a070d14fc8c883b2471dde01894b0e6d14125e7a

memory/4532-8-0x0000000002D80000-0x0000000002E80000-memory.dmp

memory/4532-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4532-9-0x0000000002CA0000-0x0000000002CCD000-memory.dmp

memory/4532-11-0x0000000002FE0000-0x0000000002FFA000-memory.dmp

memory/4532-12-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/4532-13-0x0000000004CE0000-0x0000000004CF8000-memory.dmp

memory/4532-14-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/4532-42-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-20-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-18-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-16-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-15-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-40-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-38-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-36-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-35-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-32-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-30-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-28-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-26-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-24-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-22-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

memory/4532-43-0x0000000002D80000-0x0000000002E80000-memory.dmp

memory/4532-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4532-48-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4532-49-0x0000000000400000-0x0000000002B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu3686.exe

MD5 d10d4cf82277f0745666ba16c8a82e99
SHA1 755ea12bba3a621f30a104e9abc7d0c4076b3b70
SHA256 e46360448b26820ce9bf60d6daa4e1ca5643dec17f60232c888b1a0d5dc2f73f
SHA512 d7c71e1e2f60c57a628b1d515e8c687780c8581bf87f65a9fa1e959f2fb02c904ae7cf10d60cfd305826ed9bd2c5cffa140aa58fdab1098aba1accdbfd05d092

memory/3764-54-0x00000000070F0000-0x0000000007136000-memory.dmp

memory/3764-55-0x00000000071B0000-0x00000000071F4000-memory.dmp

memory/3764-87-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-89-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-85-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-83-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-81-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-79-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-77-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-962-0x0000000007890000-0x0000000007EA8000-memory.dmp

memory/3764-964-0x00000000072B0000-0x00000000072C2000-memory.dmp

memory/3764-963-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/3764-75-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-73-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-71-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-965-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/3764-69-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-67-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-63-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-61-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-966-0x0000000008110000-0x000000000815C000-memory.dmp

memory/3764-65-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-59-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-57-0x00000000071B0000-0x00000000071EF000-memory.dmp

memory/3764-56-0x00000000071B0000-0x00000000071EF000-memory.dmp