Malware Analysis Report

2024-12-07 04:07

Sample ID 241113-zankcayemf
Target 45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe
SHA256 45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8

Threat Level: Known bad

The file 45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:31

Reported

2024-11-13 20:33

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1408 set thread context of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe
PID 4800 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe
PID 4800 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe
PID 4736 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 4736 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 4736 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe
PID 4736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe
PID 4736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe
PID 4736 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe

"C:\Users\Admin\AppData\Local\Temp\45ca9c62cbfc50748697d4ed00ef5c66d60582dbd10d94f88eb53a77f13df6d8N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un476497.exe

MD5 d67ad4ec73dc55c66cf686a14b3a959c
SHA1 f9e8ee9a06b4626081d8f678c1dba363fd718a65
SHA256 ccf29cb7a247613252b931070b38cb39a3c6d64662e369551d61911ea5d5fabf
SHA512 704226f056f355290259141a114e15f3aa73a513d05d6781891939ef72c93e79552482fa8c47e28c3adc3200c1ffd7784608c5439b8b4f83b2db764235cba21c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5355.exe

MD5 757b21b2f02e86f76b2db189b14a9c8b
SHA1 78dc622f3edeec778557e78d77618bb659d41aaf
SHA256 69634db2a628037c4ef3d277de12c31962a1dc420e41e2f9f201a0b18a2920af
SHA512 0b4319fc6c35f90dc74c42f99a02084dc3d25eedb18b98be46ed6269a48421b0a0d4f957e1aec42f645d4e8c59118f6de67758d12935e4c60b848acff9c5a495

memory/1408-15-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/1408-16-0x0000000000580000-0x00000000005AE000-memory.dmp

memory/3160-17-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5839.exe

MD5 85037860efb74eb3e17a5b3b38b5944e
SHA1 56ff1ad47d214bc6fb2d9c98db0bc2741226d7e3
SHA256 db9f58ef5bcdd1842d7ccd764ba068a913b5fda798b19e9583cdf284a47fc685
SHA512 56bd49b85e106dc80a0c9c90139ec1ef31243df2242e58eddec3fd326effae5195d7563d356d92462b126931a4fbf69d186509aa954a2e8ea591dae7917c836c

memory/3160-23-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3160-25-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3160-22-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3160-27-0x00000000008C0000-0x00000000008DA000-memory.dmp

memory/3160-28-0x0000000004A90000-0x0000000005034000-memory.dmp

memory/3160-29-0x0000000002230000-0x0000000002248000-memory.dmp

memory/1112-30-0x0000000002430000-0x0000000002476000-memory.dmp

memory/1112-31-0x00000000050B0000-0x00000000050F4000-memory.dmp

memory/3160-32-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-59-0x0000000002230000-0x0000000002242000-memory.dmp

memory/1112-89-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-87-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-85-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-83-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-81-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-79-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-77-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-75-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-73-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-71-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-69-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-65-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-63-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-61-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-60-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/3160-57-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-55-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-53-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-51-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-49-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-47-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-45-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-43-0x0000000002230000-0x0000000002242000-memory.dmp

memory/1112-91-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/1112-67-0x00000000050B0000-0x00000000050EF000-memory.dmp

memory/3160-35-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-34-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-41-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-39-0x0000000002230000-0x0000000002242000-memory.dmp

memory/3160-37-0x0000000002230000-0x0000000002242000-memory.dmp

memory/1112-966-0x00000000050F0000-0x0000000005708000-memory.dmp

memory/1112-967-0x0000000005790000-0x000000000589A000-memory.dmp

memory/1112-968-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/1112-969-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/1112-970-0x0000000005A40000-0x0000000005A8C000-memory.dmp

memory/3160-973-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3160-977-0x0000000000400000-0x0000000000430000-memory.dmp