Malware Analysis Report

2024-12-07 04:06

Sample ID 241113-yqpa5s1qgm
Target 73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe
SHA256 73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a

Threat Level: Known bad

The file 73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Healer

Healer family

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:59

Reported

2024-11-13 20:01

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe
PID 2740 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe
PID 2740 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe
PID 3248 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe
PID 3248 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe
PID 3248 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe
PID 3248 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe
PID 3248 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe
PID 3248 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe
PID 4468 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe C:\Windows\Temp\1.exe
PID 4468 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe C:\Windows\Temp\1.exe
PID 4468 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe C:\Windows\Temp\1.exe
PID 2740 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe
PID 2740 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe
PID 2740 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe

"C:\Users\Admin\AppData\Local\Temp\73bd682b43cdd552a51c741bd620bc0bf62542149de4f8243dcd29ab2cb10d0a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un207624.exe

MD5 e0b8ac93777bbdedb171e89aee222936
SHA1 977f398d6b9f3e253144ccc40c9318ada526ce2b
SHA256 8d61318da968323c081754a7f329793056ffd79a9aa4556c0cc1e3fd43337c80
SHA512 e566d7ae28134172b37bda90d015d8e228298483d57bc01b429b0b2288621b4743d19febcd3e716c6dcc8b3ca20cae48212477ef66022ae624659b74dc385e39

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2810.exe

MD5 2d49b183c9fd36b9ca08fabf4683487c
SHA1 70d28e4ddd349c13fcee4bcc240125415a6bbf2e
SHA256 2ee4b04eb993b9f4d2bec20b1d75368ef1ba7e632577aef9235da12d7a8fc46d
SHA512 31d164834169af35229895e5b510515873e4b948bb0020e9ba3cb0b0c73580ce22c770560ae182ba8f042de957a053dca6939f1fede416803e190f8d4c5619da

memory/64-15-0x0000000000890000-0x0000000000990000-memory.dmp

memory/64-17-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/64-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/64-18-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/64-19-0x00000000023D0000-0x00000000023EA000-memory.dmp

memory/64-20-0x0000000004D90000-0x0000000005334000-memory.dmp

memory/64-21-0x0000000004B90000-0x0000000004BA8000-memory.dmp

memory/64-49-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-47-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-45-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-43-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-41-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-39-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-37-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-35-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-33-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-31-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-29-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-27-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-25-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-23-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-22-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/64-50-0x0000000000890000-0x0000000000990000-memory.dmp

memory/64-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/64-54-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/64-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3797.exe

MD5 6a5a97176911b41ddadfc47cd2950706
SHA1 de825760af319ffd6b6ba4eab64f39ccc1d8a1ab
SHA256 723140c88d1a28cfdc186462fdf079f4efd5b0b5fefc130f3fba9bf6c2357806
SHA512 a1f7743ccbff74ead5b738a9062bc08352cbf1f778378233bf50774ea756566348fef02c4fd731abcceeedc317b84a0e2f6efe29c6c20d55c313e161071df74c

memory/4468-60-0x0000000004CA0000-0x0000000004D06000-memory.dmp

memory/4468-61-0x0000000002680000-0x00000000026E6000-memory.dmp

memory/4468-63-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-62-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-81-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-95-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-93-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-91-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-87-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-85-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-83-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-79-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-77-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-75-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-73-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-71-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-69-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-67-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-65-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-89-0x0000000002680000-0x00000000026DF000-memory.dmp

memory/4468-2142-0x0000000004C60000-0x0000000004C92000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4732-2155-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/4732-2156-0x0000000002530000-0x0000000002536000-memory.dmp

memory/4732-2157-0x0000000005390000-0x00000000059A8000-memory.dmp

memory/4732-2158-0x0000000004E80000-0x0000000004F8A000-memory.dmp

memory/4732-2159-0x0000000004D40000-0x0000000004D52000-memory.dmp

memory/4732-2160-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

memory/4732-2161-0x0000000004E00000-0x0000000004E4C000-memory.dmp

memory/3192-2166-0x0000000000D00000-0x0000000000D2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si137231.exe

MD5 c2be80fc9ded908a2c686811cf141fb2
SHA1 74eee2672bcc0ca20cb4927d0544e2856ed7b5f9
SHA256 215efe6b5e84d6c9ec3532d6d84647864ac99c41deb5d21e84626b0c5e0e1c92
SHA512 a23c23023eb113f5001c9a894b6cef1b76557f2eaccb3eac41c74703e7cb64d936773c1ec051f922315ec950a6f505c699183333eb9c0eb9322b6c16a3ccba30

memory/3192-2167-0x00000000013C0000-0x00000000013C6000-memory.dmp