Malware Analysis Report

2024-12-07 04:07

Sample ID 241113-y6fzpsydqf
Target d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N
SHA256 d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612

Threat Level: Known bad

The file d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Healer

Redline family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:23

Reported

2024-11-13 20:26

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe

"C:\Users\Admin\AppData\Local\Temp\d1c87259d8611552bfcad0b0de13a0d3778b55948d70786cdc818f2b4e1da612N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sw51Gf51Tz75.exe

MD5 4ddbf8e9efa1e6d33397a3817ac794d6
SHA1 bea9492f049d80d12b587d9af990e5328a966d21
SHA256 6db689501b029fcd35af979ab8c7b958647df3c9728d07334b92fb5956803e77
SHA512 1fbfdade572d37bb234a2cfffe5671f5b48aacb649bf0c25ffa1caa5542666c2ecb41fd60dd0a55de58927aacec3f07d375cccdd7247192030af4ad887ebc656

memory/3120-7-0x00007FFCC9A33000-0x00007FFCC9A35000-memory.dmp

memory/3120-8-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

memory/3120-9-0x00007FFCC9A33000-0x00007FFCC9A35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tzP99Er17.exe

MD5 47edc698fb60063cef4e63ee2d5d05bc
SHA1 8f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA256 2561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512 b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715

memory/4288-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4288-16-0x0000000002210000-0x000000000225B000-memory.dmp

memory/4288-15-0x0000000000770000-0x0000000000870000-memory.dmp

memory/4288-18-0x0000000002370000-0x00000000023B6000-memory.dmp

memory/4288-19-0x0000000004DA0000-0x0000000005344000-memory.dmp

memory/4288-20-0x0000000002560000-0x00000000025A4000-memory.dmp

memory/4288-30-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-34-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-84-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-80-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-78-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-76-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-74-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-72-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-70-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-68-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-64-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-62-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-61-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-58-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-56-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-54-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-52-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-50-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-48-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-46-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-42-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-40-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-39-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-32-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-28-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-26-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-82-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-66-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-44-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-36-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-24-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-22-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-21-0x0000000002560000-0x000000000259E000-memory.dmp

memory/4288-927-0x0000000005350000-0x0000000005968000-memory.dmp

memory/4288-928-0x0000000004C70000-0x0000000004D7A000-memory.dmp

memory/4288-929-0x0000000005990000-0x00000000059A2000-memory.dmp

memory/4288-930-0x0000000005AB0000-0x0000000005AEC000-memory.dmp

memory/4288-931-0x0000000005B00000-0x0000000005B4C000-memory.dmp

memory/4288-932-0x0000000000770000-0x0000000000870000-memory.dmp

memory/4288-933-0x0000000002210000-0x000000000225B000-memory.dmp

memory/4288-935-0x0000000000400000-0x000000000044E000-memory.dmp