Malware Analysis Report

2024-12-07 04:03

Sample ID 241113-xxd83sxkb1
Target 30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe
SHA256 30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264
Tags
healer redline rosto discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264

Threat Level: Known bad

The file 30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosto discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Healer

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:13

Reported

2024-11-13 19:15

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wreE50sI81.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wreE50sI81.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe

"C:\Users\Admin\AppData\Local\Temp\30c4f26f49e9f35303c2d11730f0c1ce7aee44205e7ab81c52111303e6f05264N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wreE50sI81.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wreE50sI81.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp
US 8.8.8.8:53 hueref.eu udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\urMt28fO62.exe

MD5 166ead72c26011f43539a3074ae0aa1a
SHA1 4ab138026346a528705dbff8b1fe0ba74c194cc4
SHA256 38301a81a7d93f34f95210494d2b244d8f9f769d7f19422a5dc98163a8c82a08
SHA512 3bfbf1dc10f8480fbf672ed0132739710d3428a9667bd7dd7a393360c47b1e2706859c5e61f74ca1d44f5db1007799cb8374b97784db1c0008e4ae6c05248915

memory/3116-8-0x0000000000780000-0x0000000000880000-memory.dmp

memory/3116-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3116-9-0x0000000000580000-0x00000000005AD000-memory.dmp

memory/3116-11-0x0000000000400000-0x000000000057E000-memory.dmp

memory/3116-12-0x0000000002370000-0x000000000238A000-memory.dmp

memory/3116-13-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/3116-14-0x00000000025F0000-0x0000000002608000-memory.dmp

memory/3116-34-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-42-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-40-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-38-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-36-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-32-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-30-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-26-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-24-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-22-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-20-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-18-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-16-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-28-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-15-0x00000000025F0000-0x0000000002602000-memory.dmp

memory/3116-43-0x0000000000780000-0x0000000000880000-memory.dmp

memory/3116-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3116-47-0x0000000000400000-0x000000000057E000-memory.dmp

memory/3116-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wreE50sI81.exe

MD5 80ad78834be0ad9185b162f76f1a7e45
SHA1 a8c8609a21d6604ec0ae56e3f0c207efaf49c834
SHA256 6075119c12150786e65a66d8d4029583d731a576d624f23f1d98e7b3d52bf985
SHA512 19ce0b292ddd80090af629465d83a68fb89a0d1b2f80ec183fe0759ee358095dca2107bc99596059bace41472dc617661a4d68086b3b6866d47c07187245cd88

memory/3324-53-0x0000000000400000-0x000000000058C000-memory.dmp

memory/3324-54-0x0000000000400000-0x000000000058C000-memory.dmp

memory/3324-55-0x0000000002390000-0x00000000023D6000-memory.dmp

memory/3324-56-0x0000000000400000-0x000000000058C000-memory.dmp

memory/3324-57-0x0000000002810000-0x0000000002854000-memory.dmp

memory/3324-67-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-89-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-87-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-85-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-83-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-81-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-79-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-77-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-75-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-73-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-71-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-69-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-65-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-63-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-61-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-59-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-58-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-91-0x0000000002810000-0x000000000284E000-memory.dmp

memory/3324-964-0x00000000052B0000-0x00000000058C8000-memory.dmp

memory/3324-965-0x00000000058D0000-0x00000000059DA000-memory.dmp

memory/3324-966-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/3324-967-0x00000000059E0000-0x0000000005A1C000-memory.dmp

memory/3324-968-0x0000000005B20000-0x0000000005B6C000-memory.dmp