Malware Analysis Report

2024-12-07 03:49

Sample ID 241113-splwqsxpan
Target 028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe
SHA256 028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b

Threat Level: Known bad

The file 028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:18

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe
PID 3108 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe
PID 3108 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe
PID 1692 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe
PID 1692 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe
PID 1692 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe
PID 1624 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe
PID 1624 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe
PID 1624 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe
PID 1624 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe
PID 1624 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe
PID 1692 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe
PID 1692 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe
PID 1692 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe

Processes

C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe

"C:\Users\Admin\AppData\Local\Temp\028685ed9106f42de51ca1badbceb54348497ed824c220e62bc14279ae65855b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will2311.exe

MD5 f12b52910551674573889a36af97b7b1
SHA1 7d983964b963368cc4895ef1d6eab019b78406d2
SHA256 072d9956898fee83fe500b30e32ccf57ccb28c5efa62bde0f935697a3b03467f
SHA512 f4b1a26321b20049a520fadc851bec7b099373611cdde7d158c2306a28ec377901519957c99b13da2f673a1e7888dc8fe5682a370fd307c073ee11130402468e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will8915.exe

MD5 8e1933ecd2046e3cc69d9d6c63727b72
SHA1 fed543a37233d94544108f330abc9beb052c3123
SHA256 d9b6fcfbe32b52c3383340b08f343e64fdb635b705e2493bbafe7c6cc4fedae6
SHA512 30f1b5e5d4a14253b44b47094aadc6e10bedeb32e721c24626cc85a9f72ee696b60e7a4003243de84f14247f6db5c729caca87588f395bde6379994b28c25e84

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mx3666PD.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1096-21-0x00007FFD2EE73000-0x00007FFD2EE75000-memory.dmp

memory/1096-22-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ns3878fv.exe

MD5 35a491646910492dbf732291760b2f3f
SHA1 19aaf28995467fcf3a6c4a5cfcb9e452bb612432
SHA256 aaa32d471e989c96efbb1daefe9674a2c2677d31aab9f305c1bec2d43cdf76cc
SHA512 4740610b3f0d17d8af40853776a64ed8d2e19ae3c96f332a0ffb118c9ba99fee070793065a0791ece9f9cc7983e0560e521c8da205615ba02897f4edb80d0689

memory/4092-28-0x0000000004C70000-0x0000000004C8A000-memory.dmp

memory/4092-29-0x00000000071B0000-0x0000000007754000-memory.dmp

memory/4092-30-0x0000000004D50000-0x0000000004D68000-memory.dmp

memory/4092-31-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-38-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-58-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-56-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-54-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-52-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-50-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-48-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-46-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-44-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-42-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-40-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-36-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-34-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-32-0x0000000004D50000-0x0000000004D62000-memory.dmp

memory/4092-59-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\py80VX75.exe

MD5 816c32cf6381df44fa059b00645fdb82
SHA1 4405cd0cbcb0dc2672e79bd4ef958ca4e593be8c
SHA256 4e0a4325871abc7edf6bda3d7538a6697aade46ed4d3080096a76980e2e946de
SHA512 34b1cd0421fdcf1fc0cc82ea9de0f592c59929a35c1bf62c7a7ae84f527f8c9e015df2ffe710bb8560814b207a82bc81302b22052a24224ea8c6544b2c3f3bd2

memory/3156-67-0x0000000007120000-0x0000000007164000-memory.dmp

memory/3156-66-0x0000000007060000-0x00000000070A6000-memory.dmp

memory/4092-61-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/3156-91-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-68-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-101-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-99-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-97-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-95-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-93-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-89-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-87-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-85-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-83-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-81-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-79-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-77-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-75-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-73-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-71-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-69-0x0000000007120000-0x000000000715E000-memory.dmp

memory/3156-974-0x0000000007790000-0x0000000007DA8000-memory.dmp

memory/3156-975-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/3156-976-0x0000000007F30000-0x0000000007F42000-memory.dmp

memory/3156-977-0x0000000007F50000-0x0000000007F8C000-memory.dmp

memory/3156-978-0x00000000080A0000-0x00000000080EC000-memory.dmp