Malware Analysis Report

2024-12-07 04:09

Sample ID 241113-yf9jbsxncw
Target 106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe
SHA256 106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe

Threat Level: Known bad

The file 106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:44

Reported

2024-11-13 19:47

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe

"C:\Users\Admin\AppData\Local\Temp\106020cc65e83aa47d7d68fc773889505ff2f7540aefdcc10f55dbc9e219fcbe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAw0233.exe

MD5 410ee0e9160080cbc93b34d7d3d5ae2f
SHA1 2a7f90789db33e01d6296cbb753b44fc36a129b4
SHA256 e51ad54d5e20a2992e1ea3c7ae372beac5182dcff70984ee7a73a8194186c347
SHA512 06ba783e8dfd1bbc8ee64be212e5f423dfc6840d05986f5a3a06c124f805202161401f752be819d8693ae7e39377b4fdcb64550b00a2605fac2cd7fb6e32ae9d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr327428.exe

MD5 c2a05bf02a5e6ce6beeb1b747f006b3e
SHA1 801edcbef274e47c522bb985467ced3bff296dfb
SHA256 cb2b0d97af25b121dd8ef83a7003f3cee9469acd374d0d04986be37c76ed060b
SHA512 dc399d61fc7efeea480ef95f008d13c6b040080246eac7efd56e43457af2d0d6a5e89f16c63eb339d98d0b0d2b8ed1879ce4bc707111f5b74f928f1499182d56

memory/2820-14-0x0000000000300000-0x000000000030A000-memory.dmp

memory/2820-15-0x00007FFD35C63000-0x00007FFD35C65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku435802.exe

MD5 846bccad745dd9c3554ac6c3ac4897f0
SHA1 207773905bf2ef9a81f9127b914642ca49639def
SHA256 d50e724b0f736b7db102e3d13354825c39e1235e80235adbef29a6ec680a84d9
SHA512 c5385ed983b366d7627bb0ca26f27a3f5dbbccd9a0c1ba1721cb684fd702846e4dc9f8d4499b86ed69236cdbf364a1a0e5f7f45b49fba93214a9c2c39bbb8c55

memory/404-21-0x00000000028F0000-0x0000000002936000-memory.dmp

memory/404-22-0x00000000050A0000-0x0000000005644000-memory.dmp

memory/404-23-0x0000000004F40000-0x0000000004F84000-memory.dmp

memory/404-39-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-37-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-87-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-85-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-83-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-82-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-79-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-75-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-73-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-71-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-69-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-67-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-63-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-59-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-57-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-55-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-53-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-51-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-49-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-47-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-45-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-43-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-41-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-35-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-33-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-31-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-29-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-77-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-65-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-61-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-27-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-25-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-24-0x0000000004F40000-0x0000000004F7F000-memory.dmp

memory/404-930-0x0000000005650000-0x0000000005C68000-memory.dmp

memory/404-931-0x0000000005C70000-0x0000000005D7A000-memory.dmp

memory/404-932-0x0000000005D80000-0x0000000005D92000-memory.dmp

memory/404-933-0x0000000005DA0000-0x0000000005DDC000-memory.dmp

memory/404-934-0x0000000005EE0000-0x0000000005F2C000-memory.dmp