Malware Analysis Report

2024-12-07 04:01

Sample ID 241113-rexptatcrj
Target 49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe
SHA256 49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8
Tags
healer redline ruzhpe discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8

Threat Level: Known bad

The file 49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline ruzhpe discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:06

Reported

2024-11-13 14:09

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrJN12oq78.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrJN12oq78.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe

"C:\Users\Admin\AppData\Local\Temp\49e5e2b50874fdc3314e1e0ecbdb125ceb8da779ced96895dc98b4bde3fb0ad8N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrJN12oq78.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrJN12oq78.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp
US 8.8.8.8:53 pepunn.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMi26Na25.exe

MD5 946e45ca9ca57dbee2abd7de33d70086
SHA1 9003d342bb7b083b73c7b67e3a8059e1826d9695
SHA256 aa2990a947b4f237d68abb0193d1da436930d427eced5942132bd24fd0bd3bd9
SHA512 00743633925a810ce584991704d25034fd3d407838b245d456da54572b3558589acfa5dcbabf9ab09621f143dfc78767cfc979c18346a1e6baa55648405c8c3d

memory/4684-8-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/4684-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4684-10-0x0000000004870000-0x000000000488A000-memory.dmp

memory/4684-11-0x00000000072C0000-0x0000000007864000-memory.dmp

memory/4684-12-0x0000000007160000-0x0000000007178000-memory.dmp

memory/4684-13-0x0000000000400000-0x0000000002BC5000-memory.dmp

memory/4684-21-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-23-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-41-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-39-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-37-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-35-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-33-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-31-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-29-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-27-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-25-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-19-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-17-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-15-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-14-0x0000000007160000-0x0000000007172000-memory.dmp

memory/4684-42-0x0000000000400000-0x0000000002BC5000-memory.dmp

memory/4684-43-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/4684-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4684-48-0x0000000000400000-0x0000000002BC5000-memory.dmp

memory/4684-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wrJN12oq78.exe

MD5 97581d18424b6968bffda63f4e27c2b0
SHA1 501bc8daae8308a502ceae32244e79e55d2282c3
SHA256 99908812a3e7d39049e6a424c5eaed09d067384e8997d55ea8804be915a6df30
SHA512 bb82a81e022d658c76192e97266feec3731260ac514f7f0c12ee96a9a81c8947c7ac756969b3671c1eef648a69f3bb39ec0fb3fb4cd4d0de272d3f2aeec2b1ba

memory/3300-54-0x00000000071A0000-0x00000000071E6000-memory.dmp

memory/3300-55-0x00000000077D0000-0x0000000007814000-memory.dmp

memory/3300-81-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-65-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-89-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-87-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-85-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-83-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-79-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-77-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-75-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-962-0x0000000007810000-0x0000000007E28000-memory.dmp

memory/3300-964-0x0000000007FF0000-0x0000000008002000-memory.dmp

memory/3300-963-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

memory/3300-73-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-71-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-69-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-67-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-63-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-61-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-59-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-57-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-56-0x00000000077D0000-0x000000000780E000-memory.dmp

memory/3300-965-0x0000000008010000-0x000000000804C000-memory.dmp

memory/3300-966-0x0000000008160000-0x00000000081AC000-memory.dmp