Malware Analysis Report

2024-12-07 04:03

Sample ID 241113-xma4ns1jhj
Target f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe
SHA256 f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6ed
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6ed

Threat Level: Known bad

The file f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 18:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 18:57

Reported

2024-11-13 18:59

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe

"C:\Users\Admin\AppData\Local\Temp\f615e31962bafe27badcb0be9e620294df7ff25a2f735b4ce71c7b9d4279f6edN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jr395719.exe

MD5 acc23556c09597b1481c68f178b6a193
SHA1 b934009fca742e9723c8f359f383a30a0f38527d
SHA256 74f7aecb49a321ffad49d08ea486a6ab50e964d54e383edcc4954c9c9ce5fda1
SHA512 3a2576090272a8d6d38ea50cdf789d55ad140f87a21db1efd8bf2d5e4fb023db0024d7e03015fac96811c08645c6471d3a8afbc7e0579c219f89fc3c08c7cd13

memory/5080-7-0x00007FFA3C6D3000-0x00007FFA3C6D5000-memory.dmp

memory/5080-8-0x00000000009D0000-0x00000000009DA000-memory.dmp

memory/5080-9-0x00007FFA3C6D3000-0x00007FFA3C6D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ku348887.exe

MD5 ab8d0323fd5702edab0603a367ee3264
SHA1 04a4b673b395d414db240b49b7b4aa5218f1a09e
SHA256 37e7c4738c5649db5408f15fd8b7b704f8c0908e48e36ed9c9fd0c847dd0640b
SHA512 5f25049b12edeaea53c9bf709a3848c4378c458a7fa87dced8ec83ff18f67ad9b6652081c59bb43ef5af4947bec2bec85cc544ff4dd297132ca1c1db69a55dc2

memory/1008-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1008-16-0x0000000000630000-0x000000000067B000-memory.dmp

memory/1008-15-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1008-18-0x0000000004B40000-0x0000000004B86000-memory.dmp

memory/1008-19-0x0000000004BD0000-0x0000000005174000-memory.dmp

memory/1008-20-0x0000000005190000-0x00000000051D4000-memory.dmp

memory/1008-24-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-34-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-84-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-82-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-81-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-78-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-76-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-74-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-72-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-70-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-68-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-66-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-64-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-60-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-58-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-56-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-54-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-52-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-50-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-48-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-46-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-44-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-40-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-38-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-36-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-32-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-30-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-28-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-26-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-62-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-42-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-22-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-21-0x0000000005190000-0x00000000051CF000-memory.dmp

memory/1008-927-0x0000000005230000-0x0000000005848000-memory.dmp

memory/1008-928-0x00000000058D0000-0x00000000059DA000-memory.dmp

memory/1008-929-0x0000000005A10000-0x0000000005A22000-memory.dmp

memory/1008-930-0x0000000005A30000-0x0000000005A6C000-memory.dmp

memory/1008-931-0x0000000005B80000-0x0000000005BCC000-memory.dmp

memory/1008-932-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1008-933-0x0000000000630000-0x000000000067B000-memory.dmp

memory/1008-935-0x0000000000400000-0x000000000044E000-memory.dmp