Malware Analysis Report

2024-12-07 03:59

Sample ID 241113-renf5stcqn
Target 70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N
SHA256 70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3

Threat Level: Known bad

The file 70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Healer family

RedLine payload

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:06

Reported

2024-11-13 14:08

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe
PID 2400 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe
PID 2400 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe
PID 4744 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe
PID 4744 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe
PID 4744 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe
PID 4744 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe
PID 4744 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe
PID 4744 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe

"C:\Users\Admin\AppData\Local\Temp\70c6e130341d45a20bc78236d780f7dba482bcafe737a8e562b80d4522b93ad3N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979135.exe

MD5 073dc51a811b8819f310023f9e002d6e
SHA1 15160f6c7b1b414ed9147702423cb37b60152421
SHA256 5a16a45f1826540ab5bf923fad1c80e04d4159c2504f46f4352f8962233a6367
SHA512 eb74677968b1e4300e77a407f84835ca68a9f4165c4004ded4ef072e8f9de6e272c6b9aa1df6aecf793b96e963c391f25fbe27128d2cb88b69adf5c21f50c31a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47190598.exe

MD5 0ed309f13a0018f765c7e36f7242e19a
SHA1 a325ab36ad1885d6cff82bb716dcd2156d8e390d
SHA256 1a977f67b0ba2fe37c10fe70058d7542bf7d4be27ba3fd89f58b2b7a2424f9ba
SHA512 dea4629133a8658152b0f4316ca819685b85164800e1e90ee57f4c6cac5f69a22973e4f82daa67bf006b9871eaeca7f58f2cc48726cd7f869af4096fbb20fdcc

memory/444-15-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

memory/444-16-0x0000000002C70000-0x0000000002C9D000-memory.dmp

memory/444-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/444-18-0x0000000002EB0000-0x0000000002ECA000-memory.dmp

memory/444-19-0x0000000007310000-0x00000000078B4000-memory.dmp

memory/444-20-0x0000000007130000-0x0000000007148000-memory.dmp

memory/444-34-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-48-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-46-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-44-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-42-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-40-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-39-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-36-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-32-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-31-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-28-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-26-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-24-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-22-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-21-0x0000000007130000-0x0000000007143000-memory.dmp

memory/444-49-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

memory/444-50-0x0000000002C70000-0x0000000002C9D000-memory.dmp

memory/444-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/444-51-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/444-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk767637.exe

MD5 29af39234458c71ab4396f72fa8e5c36
SHA1 8b2afbcf73a4f41fe400cf0c0d7d9c26e450ff03
SHA256 97289b300739e11ded6cd565b13504a740e73fc6578130da282d2142f176a184
SHA512 7b04b1b6c5c0a8bd213f9fb4a5ec646a5e457c2d1765ff786447b49b201cee53bd2385590fbb99f80c6fb62c98ec9b5634b66e0661955b471b897497d2edccde

memory/444-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4572-60-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

memory/4572-61-0x0000000004DB0000-0x0000000004DEA000-memory.dmp

memory/4572-65-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-95-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-93-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-91-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-89-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-87-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-85-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-83-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-81-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-79-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-77-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-75-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-73-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-71-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-69-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-67-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-63-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-62-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/4572-854-0x0000000009DD0000-0x000000000A3E8000-memory.dmp

memory/4572-855-0x000000000A470000-0x000000000A482000-memory.dmp

memory/4572-856-0x000000000A490000-0x000000000A59A000-memory.dmp

memory/4572-857-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

memory/4572-858-0x0000000004C50000-0x0000000004C9C000-memory.dmp