Malware Analysis Report

2024-12-07 03:41

Sample ID 241117-kp2yyswekn
Target bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5
SHA256 bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5
Tags
healer redline fusa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5

Threat Level: Known bad

The file bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5 was found to be: Known bad.

Malicious Activity Summary

healer redline fusa discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:47

Reported

2024-11-17 08:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEF01.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEF01.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5.exe

"C:\Users\Admin\AppData\Local\Temp\bb62abc515f207bc24b1aa820539e9f2f1087e403f1287dc607e33b2d15efcd5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 336 -ip 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEF01.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEF01.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bPr77.exe

MD5 b9bfa2908eb962da4f144ac35fb6ed66
SHA1 e9ef92bd08cbb2f61ebd6a3c9496f77421ee2d22
SHA256 a40778a3aa01f23ca5223876de8cbad04ee33779a8de73b285ccbac400bb2470
SHA512 c1c4a899373c4b667b07f8685084537efe602397cab81168598031f56ed11d6d6b393ef5af669835c8f126067dc5e5446b945b9b614840c1707096dbbe288cac

memory/336-8-0x0000000000760000-0x0000000000860000-memory.dmp

memory/336-9-0x0000000000660000-0x000000000068D000-memory.dmp

memory/336-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/336-11-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/336-12-0x0000000002460000-0x000000000247A000-memory.dmp

memory/336-13-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/336-14-0x0000000002520000-0x0000000002538000-memory.dmp

memory/336-15-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-24-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-42-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-40-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-38-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-36-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-34-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-32-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-30-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-28-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-26-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-22-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-20-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-18-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-16-0x0000000002520000-0x0000000002532000-memory.dmp

memory/336-43-0x0000000000760000-0x0000000000860000-memory.dmp

memory/336-44-0x0000000000660000-0x000000000068D000-memory.dmp

memory/336-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/336-48-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/336-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEF01.exe

MD5 da6f3bef8abc85bd09f50783059964e3
SHA1 a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256 e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA512 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

memory/1364-53-0x00000000749BE000-0x00000000749BF000-memory.dmp

memory/1364-54-0x0000000000150000-0x0000000000182000-memory.dmp

memory/1364-55-0x00000000050E0000-0x00000000056F8000-memory.dmp

memory/1364-56-0x0000000004C20000-0x0000000004D2A000-memory.dmp

memory/1364-57-0x0000000004B50000-0x0000000004B62000-memory.dmp

memory/1364-58-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

memory/1364-59-0x0000000004D30000-0x0000000004D7C000-memory.dmp

memory/1364-60-0x00000000749BE000-0x00000000749BF000-memory.dmp