Malware Analysis Report

2024-12-07 04:11

Sample ID 241113-xw36taxfqg
Target 95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N
SHA256 95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5

Threat Level: Known bad

The file 95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Healer

RedLine payload

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:13

Reported

2024-11-13 19:15

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe
PID 2740 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe
PID 2740 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe
PID 2608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe
PID 2608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe
PID 2608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe
PID 4468 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe
PID 4468 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe
PID 4468 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe
PID 4468 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe
PID 4468 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe
PID 4468 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe

"C:\Users\Admin\AppData\Local\Temp\95976df3c7ed87912b9b76bcb0e86ec10efa88f3b44818bf1627c4c88247d0a5N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr507089.exe

MD5 adb09a17a455ea827759eeaad08cae1f
SHA1 f6be9f96e211191042ca3130a855330dfc625e29
SHA256 54190b45d73e3f90038648e291c6a164c5c90e4691d627985521e87a4fddf9d7
SHA512 41442d7eaf9db8eb58ad61c487bb94d58a60108680e89265cedc6ea9141e60bc17be0c0a495a605c147f760aeb3ba3b61dd62414a298cfbf0087985e14aa904b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cr525212.exe

MD5 885addfc48e37e36e6318b031935bb4d
SHA1 8bd37eb5f3acaae4f3c4fe2380727df49c100cbf
SHA256 4974f88217d86cd4b3cc64d83a1e7f29d38308d728c2a82164633528fa8a1370
SHA512 65aa081efe636e7bc152259f28db4038a25bdbb3e99a48c8949a948831c9b96150e5e5af43e5b41c0ccc8c7d0906c8678df0bafa1430847073358e1b8ca55fde

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\182796443.exe

MD5 9ef2855f09fe358bd0fdbc228b9e9e21
SHA1 10579660b8b6ef75fb554d8d0291781bc9ccacef
SHA256 bd8434e7bb37cf5034510afc2fbc1b2cfb732e803f811dfa3437a4e2ffa103c2
SHA512 fa43fd3f1848c4cc833405ed75004d02386b9703752e295476dfa123f06fce20ae742bcfe27dd7a1c4ad6ea8f716662d8d0001be28431a0f44d36ba0f9335a2d

memory/2380-22-0x00000000009F0000-0x0000000000AF0000-memory.dmp

memory/2380-23-0x0000000002760000-0x000000000277A000-memory.dmp

memory/2380-24-0x0000000004E50000-0x00000000053F4000-memory.dmp

memory/2380-25-0x00000000027D0000-0x00000000027E8000-memory.dmp

memory/2380-51-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-53-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-49-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-47-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-45-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-43-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-41-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-39-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-37-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-35-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-33-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-31-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-26-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-29-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-27-0x00000000027D0000-0x00000000027E2000-memory.dmp

memory/2380-55-0x00000000009F0000-0x0000000000AF0000-memory.dmp

memory/2380-54-0x0000000000400000-0x0000000000807000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\227601845.exe

MD5 6b3ff09a116856ac17e9c82bbaf1527c
SHA1 a170453febc4a8eb109b3c46a06594dc1a067aa3
SHA256 fe5ce146db3e584823a77407433a0c6cdaf6f4cc36d2bc8ef15ddaf1f975baa1
SHA512 8c6b958a81197c2ef80eb87e7630b36ac71833dc89a4fdd3a5e60265f3f4cede313156d6979253c3f9c4fe87aa845a57c0d2a1c0f2354187f624dbe8c515db7c

memory/2380-57-0x0000000000400000-0x0000000000807000-memory.dmp

memory/3872-62-0x0000000004D80000-0x0000000004DBC000-memory.dmp

memory/3872-63-0x0000000004E40000-0x0000000004E7A000-memory.dmp

memory/3872-69-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-77-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-95-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-93-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-91-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-89-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-87-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-85-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-83-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-79-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-75-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-73-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-71-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-97-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-81-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-67-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-65-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-64-0x0000000004E40000-0x0000000004E75000-memory.dmp

memory/3872-856-0x0000000007990000-0x0000000007FA8000-memory.dmp

memory/3872-857-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

memory/3872-858-0x0000000007FD0000-0x00000000080DA000-memory.dmp

memory/3872-859-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/3872-860-0x00000000048B0000-0x00000000048FC000-memory.dmp