Malware Analysis Report

2024-12-07 04:07

Sample ID 241113-zj2hkayjcy
Target fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe
SHA256 fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f

Threat Level: Known bad

The file fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine

Healer

Detects Healer an antivirus disabler dropper

Healer family

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:45

Reported

2024-11-13 20:48

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caZt83dC75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caZt83dC75.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe

"C:\Users\Admin\AppData\Local\Temp\fb5ba151d01351cc53a32fbf56d2a3d35a7541e0d0a744e01dd20a1fe3b00e8f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caZt83dC75.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caZt83dC75.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buDB57gx21.exe

MD5 3775024156e7208122d074eca73e9240
SHA1 51d08d1fd315472e8a93a911c2e3809833cc4536
SHA256 c97a12f6d133e8686a846ab0a52c6dd01416af1fdf98ce3b4315b816899a004f
SHA512 910eb218bc19a5be8b209ea139bb3641b14f5db7e301339405af7b5e5285753ee0fbdcb49a7fb877480a1b1f4520a795c60fcc9f43dcd81a670b04101339ed42

memory/224-7-0x00007FFB68C13000-0x00007FFB68C15000-memory.dmp

memory/224-8-0x0000000000230000-0x000000000023A000-memory.dmp

memory/224-9-0x00007FFB68C13000-0x00007FFB68C15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caZt83dC75.exe

MD5 1c5a86f75232313703fab93a198cfae7
SHA1 ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA256 6c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512 fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f

memory/3100-15-0x0000000000870000-0x0000000000970000-memory.dmp

memory/3100-16-0x00000000006F0000-0x000000000073B000-memory.dmp

memory/3100-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3100-18-0x0000000002430000-0x0000000002476000-memory.dmp

memory/3100-19-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/3100-20-0x0000000002630000-0x0000000002674000-memory.dmp

memory/3100-28-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-26-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-24-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-22-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-21-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-34-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-84-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-82-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-80-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-78-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-76-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-74-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-70-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-68-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-66-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-64-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-62-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-60-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-58-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-56-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-52-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-50-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-48-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-46-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-44-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-42-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-40-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-38-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-32-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-30-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-72-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-54-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-36-0x0000000002630000-0x000000000266E000-memory.dmp

memory/3100-927-0x00000000054B0000-0x0000000005AC8000-memory.dmp

memory/3100-928-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

memory/3100-929-0x0000000002850000-0x0000000002862000-memory.dmp

memory/3100-930-0x00000000029A0000-0x00000000029DC000-memory.dmp

memory/3100-931-0x00000000029E0000-0x0000000002A2C000-memory.dmp

memory/3100-932-0x0000000000870000-0x0000000000970000-memory.dmp

memory/3100-933-0x00000000006F0000-0x000000000073B000-memory.dmp

memory/3100-935-0x0000000000400000-0x000000000044E000-memory.dmp