Malware Analysis Report

2024-12-07 04:08

Sample ID 241113-y6b1rayfnl
Target 2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7
SHA256 2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7

Threat Level: Known bad

The file 2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:26

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
PID 4464 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
PID 4464 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
PID 2368 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
PID 2368 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
PID 2368 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
PID 4228 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
PID 4228 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
PID 4228 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
PID 1112 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
PID 1112 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
PID 1112 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
PID 1916 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
PID 1916 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
PID 1916 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
PID 1916 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
PID 1916 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe

"C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe

MD5 81695a25572f9b04f59a40e9255436e9
SHA1 d3c0e748f96d847e21343e32258bfefa92639b62
SHA256 e43217264dce9e9e706f490764a84e54ad3137e7c11257e539011f47a8b5c510
SHA512 d588355a7018e86b3895da68add882e4c2bce7a58a48ff38fb9f2b839333923f7badcf006705ee2b56741e37bb22aef31de4740f0104b707e2c5e6131e226878

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe

MD5 a8fa8b5b703cd4a989ebe6d3db1cc979
SHA1 a2fa8e852ce71c8a30d8b169b0f3e353e63385f3
SHA256 4fa8e60aa9a1518ecb06e8f4175024c4c4c619a84e1873806c43e2042e38cd85
SHA512 98064a4eae9de3c9dd66979991c36027afbfda471ba5d86b4b3bea0a7eea1ab434924d67a37c83ca2493dd41ab316a4bbff2a9e6cac9c01222e1935a0c1d9fef

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe

MD5 6dddc4eed66aeae399550478f80ceccd
SHA1 5a394c340ef198966e44a541824f0c743ff857e9
SHA256 a431548c5449115dc12c53266da5294f606369066f03d93efc87c2f4d3ccb44c
SHA512 8c0cdd158dc94c36e96e4baed5008b1de334dd7a7490490978154cc8b2843435b1c9f682c01b60162a0106c0329b9f19775bf0bc68b91af2360f62af8c772c1d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe

MD5 29fc7e4116d91cfa05827b9d438b0762
SHA1 3e4a5ecd904af4e6178c03d8bbe4fde231acd741
SHA256 e507f88f40fa5a08de94652d237f07fca16bc762af44bc9618812405f6af539d
SHA512 fc1995e59743f32d4dad2fda56ae13015c8ede26abd07602904f686022e7ab89de095d174854615bfcb64f25d22cc17dd6c4329882e3daa9f880424e0eb90e97

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2024-35-0x0000000000100000-0x000000000010A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe

MD5 1b19fb007cece0cb3086c05822851636
SHA1 b595026b70930eb8642ff1506f1516ac28d772f2
SHA256 eed41f31904040aa00292202a481d7fbedad4af7cb2edb54bc24ccf3b928b8df
SHA512 8416b777a0786a5e97c6150cfb6b038c39b8478a6d87f1d4f516d0aba3f094237b1348b9febb848a13b009239423575469bace06c0638befe1210232ae3a965c

memory/4816-41-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

memory/4816-42-0x0000000007350000-0x00000000078F4000-memory.dmp

memory/4816-43-0x0000000004C30000-0x0000000004C6A000-memory.dmp

memory/4816-75-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-79-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-107-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-105-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-103-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-99-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-97-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-96-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-91-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-89-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-87-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-83-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-81-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-77-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-73-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-69-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-67-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-65-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-63-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-61-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-59-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-57-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-55-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-53-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-51-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-101-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-93-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-85-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-71-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-49-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-47-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-45-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-44-0x0000000004C30000-0x0000000004C65000-memory.dmp

memory/4816-836-0x0000000009C80000-0x000000000A298000-memory.dmp

memory/4816-837-0x000000000A330000-0x000000000A342000-memory.dmp

memory/4816-838-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/4816-839-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4816-840-0x0000000004B00000-0x0000000004B4C000-memory.dmp