Malware Analysis Report

2024-12-07 04:08

Sample ID 241113-zfmv1askeq
Target 26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6
SHA256 26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6

Threat Level: Known bad

The file 26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

RedLine

Redline family

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:39

Reported

2024-11-13 20:42

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4132 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe
PID 4132 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe
PID 4132 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe
PID 4400 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe
PID 4400 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe
PID 4400 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe
PID 2656 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe
PID 2656 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe
PID 2656 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe
PID 3632 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe
PID 3632 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe
PID 3632 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe
PID 928 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe
PID 928 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe
PID 928 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe
PID 928 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe
PID 928 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe

"C:\Users\Admin\AppData\Local\Temp\26959627cc04dfa9f5af7ce16521372f69190f8244673df72e99c21c436314a6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pltl28SX42.exe

MD5 1a29062a3b6ecfb1e0e15146e3f4a0f0
SHA1 f7ca636a88707be0daa090e81abd991d3e85a15c
SHA256 755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9
SHA512 7c3b557c47c254daef57c31209e25b1ce329d2829abaea20a259fd6dc2124b3ca45c7ef3037b7e6fda75bdcc418841296748d7206eb7b759bb3f95d125cda885

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plUA07sK23.exe

MD5 be704dd2becfc994a21d58a33e93ba97
SHA1 b9b42f262eb32e4d3cb9fc1fc40cfcf87b62c87c
SHA256 39d10d316230362d345728bc995a0710205b1e011d14a06cab138f7a2b066c1c
SHA512 41e1978648ae815d1a86c1c9b4dd47ee236acff24dc43c428ed91dc70d04035514c17aa76308fc4cd1e7bd7ac4c5240f3df6f445c1b10ee7c9e8922c0cffbc46

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSC79Ev52.exe

MD5 595012eba8deca6530704fd09b6d27b6
SHA1 ec095c60658465fba60d326545a24460bed0875d
SHA256 a497a6c1cbe29e984eb2b74a7ffd4df3e9fc7e1cec9dbed4703edc6bf679dbc4
SHA512 d3dc363c2180669d25237f2475c9eb9914c8b97cf4b3fa4f4f01202e1272fe2dafced4fe582a3a8bcfa18c3b6690ded1709e6de13749d7a14f7f51b0250832c5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plDv13Mo92.exe

MD5 fb801db9f05b95fd3db16a4d59c6e346
SHA1 3635ac9b4370430de1b9d709672a1014050bcd67
SHA256 e2d6e7b34ab435e695604014b09678344d950997b922bed43888cf388db73426
SHA512 a12d5995484fe9a3f02e7187d19d5ada35b4065198593b833c52dfbfbae870a232b12a36789789d44690ff017ba689107ca31606b0026ba2b5f80350402d6089

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupU57YL07.exe

MD5 6fc39149b0ad5a9cc8f325e78d2c1d45
SHA1 d07a1d90a20a80c0ac215d3bb30f9311481e3d86
SHA256 4465c8a76b5fdf1f2cd4a4bf81397e6366ede4f0333933e2474e380fd21c1301
SHA512 e44629576500f40ee9431f0ccc57a313f88496084bb2c4b54124ba46fe23d2f8afc7046c5443966a6f0d6ad69ec8fd7aa2ab0312a1a2873d85c824670bd6c486

memory/1340-35-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVZ71Tq47.exe

MD5 5b4052ee747278a02dac44898f59aaee
SHA1 6b59810f74916a6921ea2276b57b6f5f61c79654
SHA256 baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80
SHA512 9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23

memory/3372-41-0x0000000002770000-0x00000000027B6000-memory.dmp

memory/3372-42-0x0000000004CB0000-0x0000000005254000-memory.dmp

memory/3372-43-0x0000000002830000-0x0000000002874000-memory.dmp

memory/3372-99-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-107-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-105-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-103-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-101-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-97-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-95-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-94-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-91-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-89-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-88-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-85-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-83-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-82-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-79-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-77-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-76-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-73-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-71-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-69-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-68-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-65-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-63-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-61-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-59-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-55-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-53-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-51-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-49-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-47-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-57-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-45-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-44-0x0000000002830000-0x000000000286E000-memory.dmp

memory/3372-950-0x0000000005260000-0x0000000005878000-memory.dmp

memory/3372-951-0x0000000005880000-0x000000000598A000-memory.dmp

memory/3372-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/3372-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/3372-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp