Malware Analysis Report

2024-12-07 04:11

Sample ID 241113-x4rgzs1nbp
Target 0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198
SHA256 0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198
Tags
healer redline max discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198

Threat Level: Known bad

The file 0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198 was found to be: Known bad.

Malicious Activity Summary

healer redline max discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Healer

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:24

Reported

2024-11-13 19:27

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe
PID 3664 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe
PID 3664 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe
PID 2136 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe
PID 2136 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe
PID 2136 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe
PID 4004 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe
PID 4004 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe
PID 4004 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe
PID 3628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe
PID 3628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe
PID 3628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe
PID 1032 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe
PID 1032 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe
PID 1032 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe
PID 1032 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe
PID 1032 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe
PID 1032 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe

"C:\Users\Admin\AppData\Local\Temp\0707be31630a7ba86842ca0cff187f4583b9f8459551fdd7e6a8ee589ebfb198.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i81210077.exe

MD5 1143d9579e60e38c86b5b75f69a77930
SHA1 10bbd280f5b701107ec9e5c085d89e27a91dafe2
SHA256 c7900c2c29e3b94a0427f78c1da04418ede091894f19a3b569c954411a3c222f
SHA512 8ae3c16e0bd14515525d47f17184becf1d39ee265a2f0234aeaf5ac31514f0f575fffac4fdb5c6e32c00d8e614bfaa87d29de356caa8f6ae799abd65ecd1e33f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i55582460.exe

MD5 ac88d70d6724d34c950f892b5ebc9843
SHA1 1a98b3762a773bfe472d1c7b349ee5fc1b657291
SHA256 54669ab48071c21dc4f995657ccc9f6fcdf725e323c038c04dd1aed330d4f0ea
SHA512 d98a722e63eb2b43a4b388e44efb75febb15b047bdb46ef68047027abef22ed2cb2d645bca4519c181a2ddaa3a031ab28ff20066bffd708e834533a432e22343

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i79087501.exe

MD5 60df6a4704eee30b0c481e8c3997694e
SHA1 179b73889a7fa87bce59e08f03f244ccbd338c75
SHA256 a8ddad272397d4cc8b3a72b1ff7f6e6eaa13692fbb1f8ca5ca5056883f75333c
SHA512 217b51cbb8521d75dbb694aaa63dfce4d8849e043cb53f494505787262cffbabfe1a23900d67677ada0c12cd776d9cdbeb956d278bf41832bc13668c65e1c671

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i66206296.exe

MD5 7717f1e1ee9fcd3e9e52f2724b99b63b
SHA1 8b02394982316afcb3c75282c4b1b83ffb581083
SHA256 cb0d6919cabbd9dc6f8acaa8dafed5437c77596e58ad52fd4bb1a238ef702da6
SHA512 ef4693da83df5ea23643b5525391a2606e86c8c5006179fbabcf5ec0ffc567ec7589b0a26e61d040d44448bfe434f39beb816d147d9660f7a6674b40534a0fa3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a89858182.exe

MD5 bf67e5556b4daed857c198aa0e7e5eae
SHA1 8c23d32e3b110d8d459789f647395763106504bb
SHA256 cfa7be2f750c0ebcfedbf1f9e55bb637022a0a9d7cffafb45b074648d475ac45
SHA512 6667caa7ee3d885bf76522bd23a8f2763e291f8397af0e473e967717438e0f3f36e61efa451eba392427e1cfc5b3f2aa50d4bc41f1643402f0e3bf3730d09c91

memory/440-35-0x0000000002300000-0x000000000231A000-memory.dmp

memory/440-36-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/440-37-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

memory/440-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-65-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-63-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-61-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-59-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-57-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-53-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-51-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-49-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-47-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-43-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-41-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

memory/440-39-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00751331.exe

MD5 c64c2732c1d5f5b7b88a673a842bd45e
SHA1 17a2605c3fd144e7a0b3adce58d0b3d83d7632f8
SHA256 dedd327c4adc564b342ebd022dc0f9d5424b5765ae5d457b936ce1bb3cc7f527
SHA512 cd2113707f9474911f42275fb41b09abecd1bd365ef3ac3e7801f4e5123178b2dbc5619b4e4990337d2402b83c609220ddf6c42ccd57f9a8806d3e28bb6f0e55

memory/4080-70-0x0000000000C60000-0x0000000000C90000-memory.dmp

memory/4080-71-0x0000000005580000-0x0000000005586000-memory.dmp

memory/4080-72-0x0000000005BF0000-0x0000000006208000-memory.dmp

memory/4080-73-0x00000000056E0000-0x00000000057EA000-memory.dmp

memory/4080-74-0x00000000055F0000-0x0000000005602000-memory.dmp

memory/4080-75-0x0000000005650000-0x000000000568C000-memory.dmp

memory/4080-76-0x0000000005690000-0x00000000056DC000-memory.dmp