Malware Analysis Report

2024-12-07 03:58

Sample ID 241113-rqc5jswrem
Target bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe
SHA256 bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa

Threat Level: Known bad

The file bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Healer

Redline family

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:23

Reported

2024-11-13 14:25

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe
PID 1328 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe
PID 1328 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe
PID 4664 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe
PID 4664 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe
PID 4664 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe
PID 4664 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe
PID 4664 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe
PID 1328 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe
PID 1328 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe
PID 1328 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe

"C:\Users\Admin\AppData\Local\Temp\bc2c4da79745fdb2395d45e22bc1d4fe5ca061b13f970d5261350cd53f0444fa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.233.20.30:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6160.exe

MD5 3744dc1c16a6bf37e9e81d386fe47b4f
SHA1 26b97a47ddfe38146732aa39a857f5e0cbcb939b
SHA256 42a027b92547cec6efc95c77ecbc9d9e21049555a09311274c0f693c859b08dc
SHA512 3625e1ffa589990c5246fb286eeef7ea699d9f4d55e91003fe8e650da75289fec75d7f1bd65680b7c59b7149873f1805127a1eb9d82f2063f2b275a7389b298d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f2417LI.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4548-14-0x00007FFD8CF83000-0x00007FFD8CF85000-memory.dmp

memory/4548-15-0x0000000000930000-0x000000000093A000-memory.dmp

memory/4548-16-0x00007FFD8CF83000-0x00007FFD8CF85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h16Ma93.exe

MD5 5623a47dd34a0b50e1e3c816d5e01ea6
SHA1 a6be6352b43c5c439e5aba50546e1956693290e5
SHA256 5c465687bf69197e08fc0b96d99a9ba12ca4eb168d797270f956b06b24f5b110
SHA512 208789d81db4aafd823fafbf4c4f8573d7811488be122f47deeb059247c544e1afa8d74ec381c766d879335cd723ea7e5a0875a36bbabc3a19582bc7fa772371

memory/4828-22-0x0000000004A80000-0x0000000004A9A000-memory.dmp

memory/4828-23-0x00000000071D0000-0x0000000007774000-memory.dmp

memory/4828-24-0x00000000070A0000-0x00000000070B8000-memory.dmp

memory/4828-48-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-40-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-50-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-52-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-46-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-44-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-42-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-39-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-36-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-34-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-32-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-30-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-28-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-26-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-25-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/4828-53-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\igWCk04.exe

MD5 29f2c48653b526e859ef25de2d174b6d
SHA1 3af2621c9d396c041d0047e6af8bc622a902ab9e
SHA256 d95fb3656298edd3f962e8e2a001ed2cb78d8f3ae2bc6f7bb45b681e7b19e83d
SHA512 4fb8981f01a8e423dc6141762d12557d4dcb583fdff724839235ce4418c99927a0fbc738dfbd846d4c36a77862a3b87fe80e934f5991b4060e605c2d99913947

memory/4828-55-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/2608-60-0x0000000004A50000-0x0000000004A96000-memory.dmp

memory/2608-61-0x00000000070F0000-0x0000000007134000-memory.dmp

memory/2608-77-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-95-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-93-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-91-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-89-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-87-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-85-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-83-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-81-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-79-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-75-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-73-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-71-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-69-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-67-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-65-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-63-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-62-0x00000000070F0000-0x000000000712E000-memory.dmp

memory/2608-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

memory/2608-969-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/2608-970-0x0000000007F30000-0x0000000007F42000-memory.dmp

memory/2608-971-0x0000000007F50000-0x0000000007F8C000-memory.dmp

memory/2608-972-0x00000000080A0000-0x00000000080EC000-memory.dmp