Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-sj9qlstgqh
Target 1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe
SHA256 1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2

Threat Level: Known bad

The file 1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:10

Reported

2024-11-13 15:12

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu4616.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu4616.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu4616.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe

"C:\Users\Admin\AppData\Local\Temp\1fa4a655884815b2cfcb7c7c7e8bdf2ee5b38f0cb73a274425fe5905e15800c2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1396 -ip 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu4616.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu4616.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro4809.exe

MD5 57c02fdd78e535ba70043b549ebcbc71
SHA1 8cf0f4e3e573fb892b685d59570eebe81e8b5fcc
SHA256 f8d99845fa7649acc92b9ce2048123bd215ae85b03038b68af30bfeda73bb7b6
SHA512 02944b1dd14e58dfdf0c99df14c9232ae82ab5a23b3b07807c55c3c80fc713ed5804e106519330035b9d4dd3334c4e6fd8c1dfc0e06a543f4a1e2e427bebc28e

memory/1396-8-0x0000000000850000-0x0000000000950000-memory.dmp

memory/1396-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1396-10-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/1396-11-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/1396-12-0x00000000026C0000-0x00000000026DA000-memory.dmp

memory/1396-13-0x0000000004E00000-0x00000000053A4000-memory.dmp

memory/1396-14-0x0000000004D90000-0x0000000004DA8000-memory.dmp

memory/1396-15-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-42-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-40-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-38-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-36-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-34-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-32-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-30-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-28-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-26-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-24-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-22-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-20-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-18-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-16-0x0000000004D90000-0x0000000004DA2000-memory.dmp

memory/1396-43-0x0000000000850000-0x0000000000950000-memory.dmp

memory/1396-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1396-47-0x0000000000400000-0x00000000007FC000-memory.dmp

memory/1396-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu4616.exe

MD5 5d14669527aa999a29ce1f708e29dd09
SHA1 7ac49276a8b3ca18220d8bea8df69c0e5a449237
SHA256 214a8e55a1a43419b79f5ca8312ef63a66a1bb067eec6f430907d5482ac1e40e
SHA512 33e3d68aa903f980cf58fd81b1919f7a860e221cb9b6f742ac8ad7a5ec0f01f637596baf61f9a3d749dc744a77514631bda5fce54eeddf3122b346b9e275293b

memory/5068-53-0x0000000000400000-0x000000000080B000-memory.dmp

memory/5068-54-0x00000000024D0000-0x0000000002516000-memory.dmp

memory/5068-55-0x0000000000400000-0x000000000080B000-memory.dmp

memory/5068-56-0x0000000002990000-0x00000000029D4000-memory.dmp

memory/5068-62-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-72-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-70-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-68-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-66-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-64-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-82-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-60-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-58-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-57-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-74-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-90-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-88-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-86-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-84-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-80-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-78-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-77-0x0000000002990000-0x00000000029CF000-memory.dmp

memory/5068-963-0x00000000055E0000-0x0000000005BF8000-memory.dmp

memory/5068-964-0x0000000004F00000-0x000000000500A000-memory.dmp

memory/5068-965-0x0000000005C20000-0x0000000005C32000-memory.dmp

memory/5068-966-0x0000000005C40000-0x0000000005C7C000-memory.dmp

memory/5068-967-0x0000000005D90000-0x0000000005DDC000-memory.dmp