Malware Analysis Report

2025-03-15 01:40

Sample ID 230910-q1cq4ahe3x
Target 594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd
SHA256 594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd

Threat Level: Known bad

The file 594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates system info in registry

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:43

Reported

2023-09-10 13:45

Platform

win10v2004-20230831-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{287BE6AC-DCF4-48A1-894F-B4DB4A43E832}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe
PID 1360 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe
PID 1360 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe
PID 2360 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe
PID 2360 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe
PID 2360 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe
PID 2236 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe
PID 2236 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe
PID 2236 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2788 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2236 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe
PID 2236 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe
PID 2236 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe

"C:\Users\Admin\AppData\Local\Temp\594d73971666fa3abbfd0bf25b0ce18dcf95f1dee60ca7bf31d577b0a9da55cd.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe

MD5 5615e1afeee59a1f3b9eff12900d5d11
SHA1 93d4bfa4a7af30fea5f3d055ec452f7737227331
SHA256 6db5b3d3aabe695f75056e60876fd4f7da9ad85d9eb55ed21d9de732bdda0cee
SHA512 ca5eb90aba32b4cea2873adc61e712fc800cf4153ab7fe995ddce16e95c037f917423ea7ccf043705c7c1c20ce0c399fc0cf0c822ca0bf09c0163cf86431fe0e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3565529.exe

MD5 5615e1afeee59a1f3b9eff12900d5d11
SHA1 93d4bfa4a7af30fea5f3d055ec452f7737227331
SHA256 6db5b3d3aabe695f75056e60876fd4f7da9ad85d9eb55ed21d9de732bdda0cee
SHA512 ca5eb90aba32b4cea2873adc61e712fc800cf4153ab7fe995ddce16e95c037f917423ea7ccf043705c7c1c20ce0c399fc0cf0c822ca0bf09c0163cf86431fe0e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe

MD5 fcb90f6eeb24a71916abfc593eee605e
SHA1 24901896ad89dc2cdbd12379c1d7910f8ffa43c3
SHA256 a2cf1d189cd791a0962c8cad06f477af04424bfd7b6b6dae8a27e449e120e2dc
SHA512 431af285d6c178a7ceadf7301e41e9a42dc52a2e22d18cd5fe30641776f2ce7e443c9fb8b600d85161e8c92286f324950ce3fb7e89c26d8694bccdef0dcd3089

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1509144.exe

MD5 fcb90f6eeb24a71916abfc593eee605e
SHA1 24901896ad89dc2cdbd12379c1d7910f8ffa43c3
SHA256 a2cf1d189cd791a0962c8cad06f477af04424bfd7b6b6dae8a27e449e120e2dc
SHA512 431af285d6c178a7ceadf7301e41e9a42dc52a2e22d18cd5fe30641776f2ce7e443c9fb8b600d85161e8c92286f324950ce3fb7e89c26d8694bccdef0dcd3089

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe

MD5 e8468427b4576115799128b45b1b9bcd
SHA1 8b379180df35d99735d4d6136ea4de7da67c7ece
SHA256 a90dc3d5acbc47e7260c661c21b522378757dd4da851634634e8d1f180d26993
SHA512 c3b84711f77ef0015d14e1c7e1c166dd5c7335f9dad555dd1abe92fa0347c2f39bb88b0326be926f49ce460850d6a7a770523b544d773eac91f63a5ee73e6961

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1683869.exe

MD5 e8468427b4576115799128b45b1b9bcd
SHA1 8b379180df35d99735d4d6136ea4de7da67c7ece
SHA256 a90dc3d5acbc47e7260c661c21b522378757dd4da851634634e8d1f180d26993
SHA512 c3b84711f77ef0015d14e1c7e1c166dd5c7335f9dad555dd1abe92fa0347c2f39bb88b0326be926f49ce460850d6a7a770523b544d773eac91f63a5ee73e6961

memory/1280-22-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1280-29-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe

MD5 2001811eafe63778c00fabb0503acfa3
SHA1 acb94ab27b3e0d8c242ce838666939e393df02a2
SHA256 535d2810d18fcdee679363b1538258ee45bc96480133c43f3f3a2cea3440939c
SHA512 25a3ead24951825348a6ea7196282ae6a2edddadc8e2a46db5a40d66d63ea47e573dd22bb000b0a8543bd5a5cd386cbef0e2664062bd3afe91ca6f4983568603

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4189006.exe

MD5 2001811eafe63778c00fabb0503acfa3
SHA1 acb94ab27b3e0d8c242ce838666939e393df02a2
SHA256 535d2810d18fcdee679363b1538258ee45bc96480133c43f3f3a2cea3440939c
SHA512 25a3ead24951825348a6ea7196282ae6a2edddadc8e2a46db5a40d66d63ea47e573dd22bb000b0a8543bd5a5cd386cbef0e2664062bd3afe91ca6f4983568603

memory/1852-33-0x00000000001F0000-0x0000000000220000-memory.dmp

memory/1852-34-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1852-35-0x0000000005110000-0x0000000005728000-memory.dmp

memory/1852-36-0x0000000004C40000-0x0000000004D4A000-memory.dmp

memory/1852-37-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/1852-38-0x0000000004B80000-0x0000000004B92000-memory.dmp

memory/1852-39-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

memory/1280-40-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1280-42-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1852-43-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1852-44-0x00000000049E0000-0x00000000049F0000-memory.dmp