Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-sdsvxaxmfj
Target 1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe
SHA256 1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d

Threat Level: Known bad

The file 1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

RedLine payload

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:00

Reported

2024-11-13 15:02

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5365.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5365.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5365.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe

"C:\Users\Admin\AppData\Local\Temp\1efc967cd8811578a28f00fc026c9cdea5d5c38befaf014c5e07fd8955b2520d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5365.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5365.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro9461.exe

MD5 bb99985c7866699efb42c399569ac189
SHA1 5ccc3fc94294c0636d5bc67f8235084510845b03
SHA256 e8e40bef3e56d8a56c22eeed219d9a81c9e16a272d469a8b1628d4ee05df56e1
SHA512 661c8519f6937b6de11a92a209e61648feccedf6825179ca662d7db3bd4b8b17bf29ce7194cf44ca8c3f022f2cd3b2cc18bb405c58ad63da283c29859d2d2c98

memory/1968-8-0x0000000000850000-0x0000000000950000-memory.dmp

memory/1968-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1968-10-0x0000000000400000-0x0000000000707000-memory.dmp

memory/1968-11-0x0000000000400000-0x0000000000707000-memory.dmp

memory/1968-12-0x00000000024F0000-0x000000000250A000-memory.dmp

memory/1968-13-0x0000000004F80000-0x0000000005524000-memory.dmp

memory/1968-14-0x0000000002880000-0x0000000002898000-memory.dmp

memory/1968-42-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-40-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-38-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-36-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-34-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-32-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-30-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-28-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-26-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-24-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-22-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-20-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-18-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-16-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-15-0x0000000002880000-0x0000000002892000-memory.dmp

memory/1968-43-0x0000000000850000-0x0000000000950000-memory.dmp

memory/1968-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1968-46-0x0000000000400000-0x0000000000707000-memory.dmp

memory/1968-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5365.exe

MD5 eeb7d3680838817e9478ce67ae02e9b6
SHA1 b87ffe819f7fdd3c4e28a7944d545d0c4f330d0c
SHA256 378a79d0de790061936bf6de49677c8d46eb3b9db756df6c6198297b24972963
SHA512 422903458802326804be76ddb3d7ba20c8f6ea83a03de52cb12e47a542c94878c5071b93845467b4c47fd4c68b97f21494b4ab3c462ecdfb088083192423c671

memory/4016-53-0x0000000000400000-0x0000000000715000-memory.dmp

memory/4016-55-0x0000000000400000-0x0000000000715000-memory.dmp

memory/4016-56-0x0000000005330000-0x0000000005374000-memory.dmp

memory/4016-54-0x0000000004D00000-0x0000000004D46000-memory.dmp

memory/4016-62-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-70-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-90-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-88-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-84-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-82-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-81-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-76-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-74-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-72-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-68-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-66-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-64-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-86-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-78-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-60-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-58-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-57-0x0000000005330000-0x000000000536F000-memory.dmp

memory/4016-963-0x0000000005370000-0x0000000005988000-memory.dmp

memory/4016-964-0x00000000059F0000-0x0000000005AFA000-memory.dmp

memory/4016-965-0x0000000005B30000-0x0000000005B42000-memory.dmp

memory/4016-966-0x0000000005B50000-0x0000000005B8C000-memory.dmp

memory/4016-967-0x0000000005CA0000-0x0000000005CEC000-memory.dmp