Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-smqf5sthle
Target 2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe
SHA256 2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570

Threat Level: Known bad

The file 2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Healer family

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:14

Reported

2024-11-13 15:16

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe
PID 1524 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe
PID 1524 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe
PID 4936 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe
PID 4936 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe
PID 4936 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe
PID 3572 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe
PID 3572 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe
PID 3572 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe
PID 3572 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe
PID 3572 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe
PID 4936 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe
PID 4936 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe
PID 4936 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe

"C:\Users\Admin\AppData\Local\Temp\2aa585b8467fb60bbf85d150d1e7f3f3a4e32e56529fa95c4624c68aef102570.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice7397.exe

MD5 bc51a9e8040b1382777a3460776c5c3f
SHA1 fd603bf51005e17db870261017fa5133f32e330d
SHA256 f88632042070ab6f96d125d2c01f6697f8b7916cb74d1168bf2bf1f0623562a2
SHA512 3515e0b6ae26b5eac996c4cf0a7810e2adca0104184280e9fa69b2fa46b7180bf3722d0e75fbc3444d0026fae09d9f5dbf93147e2939ae3df3fe45f425bda6d0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0715.exe

MD5 3ebd2d0de0dda7f5f801bb87d8ad0f44
SHA1 074fb4c3a5affa0e604b636b83be3164421f2d12
SHA256 dfc11e034c2970239e3e0df7abdba97cef691e619876804ed18c7ed946fcb01a
SHA512 dea9c987fa93bcc2887e94808d97134a6dce9f9e74cc7e12ce9579d39043bdaf34338daac2e89894e1892e3a8291ec111520e8430af7a9bb1f918a48cac90dfc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8799SO.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1124-21-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/1124-22-0x00007FFD0A653000-0x00007FFD0A655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c43cb40.exe

MD5 c7a6a881515eb7ab0d1c3f67455ca980
SHA1 f201499e8d0b2fd82f78687f5a23320b236a6881
SHA256 b13855be933840cc9ae22ee6887717cea2a45b9550e6ab4b610c42c795d501b7
SHA512 d64e309bf4ad1fa5a17fdf529db3258260ff5c718d828bb86ba1c5b621064724a319396392cc546642f012f7dd9cea4aa21ef254a98fd8e1fa3a9b86e4eda644

memory/4952-28-0x0000000002440000-0x000000000245A000-memory.dmp

memory/4952-29-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/4952-30-0x0000000004A60000-0x0000000004A78000-memory.dmp

memory/4952-31-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-38-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-58-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-56-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-54-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-52-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-50-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-48-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-46-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-44-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-42-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-40-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-36-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-34-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-32-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4952-59-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4952-61-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgEoB84.exe

MD5 67fea7c362f13f92f2028ad800e6a0eb
SHA1 5624b717fc92e019a210d1e863992ab5b6b0b851
SHA256 245cd72755fd00b3f3f36d5b08f0ba395f363094655a8fd6a54f2ed4273343e9
SHA512 7c38a6c450e8bf8ae09586eada676395eca117078764bf1a2fed75f4eae22084aa293fbeb07fba5443c3c7af53eb98007606f5d1db5f4159f31864291095394f

memory/4472-66-0x00000000025C0000-0x0000000002606000-memory.dmp

memory/4472-67-0x0000000004AD0000-0x0000000004B14000-memory.dmp

memory/4472-93-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-101-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-99-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-97-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-95-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-91-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-89-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-87-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-85-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-83-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-81-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-79-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-77-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-75-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-73-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-71-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-69-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-68-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

memory/4472-974-0x00000000051F0000-0x0000000005808000-memory.dmp

memory/4472-975-0x0000000005810000-0x000000000591A000-memory.dmp

memory/4472-976-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/4472-977-0x0000000005920000-0x000000000595C000-memory.dmp

memory/4472-978-0x0000000005A60000-0x0000000005AAC000-memory.dmp