Malware Analysis Report

2024-12-07 04:08

Sample ID 241113-zjp5jayjcs
Target 2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05
SHA256 2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05

Threat Level: Known bad

The file 2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

Healer family

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:45

Reported

2024-11-13 20:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe
PID 1796 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe
PID 1796 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe
PID 3124 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe
PID 3124 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe
PID 3124 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe
PID 3124 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe
PID 3124 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe
PID 3124 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe

"C:\Users\Admin\AppData\Local\Temp\2b576ef794d567abd0bc1bade2aeee658b279c44fa9faafe05f959612bb7dd05.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un807252.exe

MD5 ed13505df2286e5ae96a34c065bc57c1
SHA1 0770aabf4782f12e3607ea462c7711492c5dcbad
SHA256 5ec70a11fdbab2c76d59fba29f9e42abab67f4ca8be4c8d1f30e8a1a3f527515
SHA512 7b7b6f4a7dc870d70e79ec5cf57f37fe07dfad2d21adf8ef4a664e1452af5c15bbeb8053674705199b0887d3296fb9dbf7b910050396e8241f8f0780042a7075

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53290689.exe

MD5 51a801034a5d45f54dd55de369c0adc2
SHA1 c7f168526a9d8e8ea55c201451311c79cdb7e2bf
SHA256 903f54a25c54e322b767a7439c411e2f9fbcd79af576315d0976eb7ad72f3ec3
SHA512 5e82f4429e41b3fbd959d6da6ed06ee3263b72d3b91c7c971032aed3c441f45d85e579302563d6ac5531224af6cd68092485e36c994e838607c4b55e70f70828

memory/3988-15-0x0000000002D70000-0x0000000002E70000-memory.dmp

memory/3988-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-17-0x0000000004B80000-0x0000000004B9A000-memory.dmp

memory/3988-18-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/3988-20-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/3988-19-0x0000000004C00000-0x0000000004C18000-memory.dmp

memory/3988-22-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-21-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-48-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-46-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-32-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-28-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-26-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-24-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-44-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-42-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-40-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-38-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-36-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-34-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-30-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3988-50-0x0000000002D70000-0x0000000002E70000-memory.dmp

memory/3988-49-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/3988-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3988-53-0x0000000000400000-0x0000000002B9D000-memory.dmp

memory/3988-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk994796.exe

MD5 0a0faa1473bd0474af0c37e5f5b062ab
SHA1 02ebe9bc96029de80fa458530f39c4776d3fcdca
SHA256 d431bf8c906c891f7583696639193d132051a91c51206423170162debbb1d94b
SHA512 e90e9e3ebe0d54893c049b641e9feecc7a9c1db5887a16af175aa00e6d055cb169f10bbff8e72af4da2925c2414f43ff1fd0da185f4c7ca89a190c9d4f685520

memory/2728-59-0x0000000004C10000-0x0000000004C4C000-memory.dmp

memory/2728-60-0x0000000007190000-0x00000000071CA000-memory.dmp

memory/2728-74-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-72-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-94-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-92-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-90-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-88-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-86-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-84-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-82-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-80-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-78-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-76-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-70-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-68-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-66-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-64-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-62-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-61-0x0000000007190000-0x00000000071C5000-memory.dmp

memory/2728-853-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

memory/2728-854-0x000000000A340000-0x000000000A352000-memory.dmp

memory/2728-855-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/2728-856-0x000000000A480000-0x000000000A4BC000-memory.dmp

memory/2728-857-0x0000000006CC0000-0x0000000006D0C000-memory.dmp