Malware Analysis Report

2024-12-07 04:11

Sample ID 241113-xtfbzaxfla
Target df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe
SHA256 df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db
Tags
healer redline sony discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db

Threat Level: Known bad

The file df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe was found to be: Known bad.

Malicious Activity Summary

healer redline sony discovery dropper evasion infostealer persistence trojan

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:08

Reported

2024-11-13 19:10

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe
PID 900 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe
PID 900 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe
PID 2160 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe
PID 2160 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe
PID 2160 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe
PID 2160 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe
PID 2160 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe
PID 2160 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe

"C:\Users\Admin\AppData\Local\Temp\df67bd166c510cbeaf3c8c018b9b0cf5136a36948105b80fe342666ced4ab9db.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 184 -ip 184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.33:4125 tcp
RU 193.233.20.33:4125 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.33:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un915031.exe

MD5 c960d9f6dcbcbb2ec6af63de44aa24d4
SHA1 c16bafa3a623c0be19548be347114ba329805322
SHA256 e1192dced232862951c22748d29247c875a836abfd0e0b8b55fea7f0422dabee
SHA512 4fb59c3af6d0653aeb0709043820805e1814df3813f87dc8a2d4c9f349cd51dc9a945efc82c58d218623114b7528cae10d9cf97f9330639f56ffd7cb9d87a872

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6257.exe

MD5 37d09084855f9f81ccb04e4a706878bd
SHA1 800d5a2c3f355efcd494a27b12b81034a36b02f6
SHA256 6fe7a8c81d0c5cea2f7a127b30d5814a52d8dfeb37e9dcedb3f407614938ad23
SHA512 50d2d67a47895612ab9e40b7dd00413d456c25fca72fa14b9513f86070e9cf38b5a6a7491f706d450b326546a3b46b26c5f046cedcbcc9948d80e383ef574e2f

memory/184-15-0x0000000000A30000-0x0000000000B30000-memory.dmp

memory/184-17-0x0000000000400000-0x000000000070C000-memory.dmp

memory/184-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/184-18-0x0000000000400000-0x000000000070C000-memory.dmp

memory/184-19-0x0000000000A00000-0x0000000000A1A000-memory.dmp

memory/184-20-0x0000000005100000-0x00000000056A4000-memory.dmp

memory/184-21-0x00000000022E0000-0x00000000022F8000-memory.dmp

memory/184-49-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-47-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-45-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-43-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-41-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-39-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-37-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-35-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-33-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-31-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-29-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-27-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-25-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-23-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-22-0x00000000022E0000-0x00000000022F2000-memory.dmp

memory/184-50-0x0000000000A30000-0x0000000000B30000-memory.dmp

memory/184-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/184-53-0x0000000000400000-0x000000000070C000-memory.dmp

memory/184-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1977.exe

MD5 92f5f0c9b0fc35b645ebc6870b7b0de3
SHA1 ee237a40508fa1f2f693ad490b7016f600d6ccbb
SHA256 be23e631366f6ec3b80e98de2c882934ea15241feedb0465454966c707958847
SHA512 2a359a9e97af530ad5c8b36736ebc10310f9cadff347cd5c7a87af4d92635c6d2d073b8be97fb4800d92d0acecc237911ab7d556126c40902358100c397a5895

memory/3584-60-0x0000000004C50000-0x0000000004C96000-memory.dmp

memory/3584-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp

memory/3584-65-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-73-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-95-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-91-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-89-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-87-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-85-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-83-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-81-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-79-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-77-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-75-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-71-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-69-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-67-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-93-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-63-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-62-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

memory/3584-968-0x0000000005350000-0x0000000005968000-memory.dmp

memory/3584-969-0x00000000059F0000-0x0000000005AFA000-memory.dmp

memory/3584-970-0x0000000005B30000-0x0000000005B42000-memory.dmp

memory/3584-971-0x0000000005B50000-0x0000000005B8C000-memory.dmp

memory/3584-972-0x0000000005CA0000-0x0000000005CEC000-memory.dmp