Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-s1m8yavbne
Target 8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe
SHA256 8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c

Threat Level: Known bad

The file 8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Healer family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:35

Reported

2024-11-13 15:37

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe

"C:\Users\Admin\AppData\Local\Temp\8b1413851bae064d8e90e7a74bbce06da53c96ab313e61d4ed366d085258869c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr780907.exe

MD5 09d6549c050cbc2102aea2805ea6ae7f
SHA1 a8cce3823c31fd2f4ae739ed34e22ee8077ad80d
SHA256 de49136d49ba2505f96ce09850f5d1d5e42cdc778ee9f3612ff6a210e06e3659
SHA512 a6a8aa1d66e2c0248c2d79afa98955349e37018be5c72d7d117284b4fecd4003100df7abab796943898f4724d51cc5bb51e5484e5b9636e90e39b21030d58eaf

memory/464-7-0x00007FFF150C3000-0x00007FFF150C5000-memory.dmp

memory/464-8-0x00000000004D0000-0x00000000004DA000-memory.dmp

memory/464-9-0x00007FFF150C3000-0x00007FFF150C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku690066.exe

MD5 a4a05c93db35cc7c59daa86bf049d333
SHA1 bf63cd10338fcd1005d853bcc1403cfe146683aa
SHA256 8969a5cf711d67cebaec37961d0a57fa40b0ecc6461a6dc772930f248f2624de
SHA512 80fa62ab015e93470e4ca3b6c80fa8e450b181a2c3d3da565a12654bc8bfaca29de25535459c6571487a163e240bfdd09929b49193dd5d272bc92210327334f8

memory/764-15-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/764-16-0x0000000000AC0000-0x0000000000B0B000-memory.dmp

memory/764-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/764-18-0x0000000002700000-0x0000000002746000-memory.dmp

memory/764-19-0x0000000004D90000-0x0000000005334000-memory.dmp

memory/764-20-0x00000000053A0000-0x00000000053E4000-memory.dmp

memory/764-70-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-74-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-84-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-80-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-78-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-76-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-72-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-68-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-66-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-64-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-62-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-60-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-56-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-54-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-52-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-51-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-48-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-46-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-44-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-42-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-40-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-38-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-36-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-32-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-30-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-28-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-82-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-21-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-58-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-34-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-26-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-24-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-22-0x00000000053A0000-0x00000000053DF000-memory.dmp

memory/764-927-0x0000000005440000-0x0000000005A58000-memory.dmp

memory/764-928-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

memory/764-929-0x0000000005C20000-0x0000000005C32000-memory.dmp

memory/764-930-0x0000000005C40000-0x0000000005C7C000-memory.dmp

memory/764-931-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/764-932-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/764-933-0x0000000000AC0000-0x0000000000B0B000-memory.dmp

memory/764-935-0x0000000000400000-0x000000000044E000-memory.dmp