Malware Analysis Report

2025-01-23 06:43

Sample ID 241104-2nekpsyfpd
Target 238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60
SHA256 238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60

Threat Level: Known bad

The file 238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 22:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 22:43

Reported

2024-11-04 22:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe
PID 3484 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe
PID 3484 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe
PID 4576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe
PID 4576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe
PID 4576 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe
PID 4576 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe
PID 4576 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe
PID 2256 wrote to memory of 5700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe C:\Windows\Temp\1.exe
PID 2256 wrote to memory of 5700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe C:\Windows\Temp\1.exe
PID 2256 wrote to memory of 5700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe C:\Windows\Temp\1.exe
PID 3484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe
PID 3484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe
PID 3484 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe

Processes

C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe

"C:\Users\Admin\AppData\Local\Temp\238cc9a8ec759dbdc917daef9e7d33601fc025fe0d2a88c79e3872bda946ba60.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYv9059.exe

MD5 9be56f1a8bb301b65b1ab40caac4f9f1
SHA1 fe3ab8781d33433b3ed0b3137a33561f4d88a06c
SHA256 00e51a3b83853ed7dbc6fd5681b9b033120467cbe9c4b1a2d9a5d216072ca166
SHA512 51aeffe6f15981f369783950329f135df9373b9c828a9c23e34c8ad08ee002969d558ebfbaa29b226da6243ca17d0d43d1650855e45d0ad91ad157adbfdf3d0b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr630857.exe

MD5 53712b7792476ac5d15d7030230ebf83
SHA1 7f4a42cd8f7cb9ae7f46bf6d5a5c68cedd71b3ab
SHA256 56c91395c9d78b2f218ccf6ac8408bf0e476c8a3a816d871f7d4f63c2f64d282
SHA512 4b2e5ce0da63279c2ec87401df1315e52965dcea9df6b337f76ff9e1d6b7cbf6fe2d1d32493abb42209c7e67a9ee2c76815b50e04ee0cc8bbec4b82520fd0af6

memory/2484-14-0x00007FFA23D73000-0x00007FFA23D75000-memory.dmp

memory/2484-15-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2484-16-0x00007FFA23D73000-0x00007FFA23D75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801912.exe

MD5 37a484c8c157b1d4007231bda099cbe8
SHA1 2f1d828736422a4e006e1b3d7b982849ce9410f6
SHA256 f821d5c89c2eece9abc553835a53a155393848bd4aac9a2c26b618300705986f
SHA512 06ee17acc437f07e6be8014057cc97abe90ac2e640c964744a433520a4c2920953181548d41bc4bf2bbdd9cbb42d2857c2b01af8c29ddb77f91f694355accec2

memory/2256-22-0x0000000004AC0000-0x0000000004B26000-memory.dmp

memory/2256-23-0x0000000004C70000-0x0000000005214000-memory.dmp

memory/2256-24-0x0000000005220000-0x0000000005286000-memory.dmp

memory/2256-28-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-40-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-38-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-36-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-34-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-32-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-30-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-76-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-62-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-50-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-26-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-25-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-88-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-86-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-84-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-82-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-80-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-78-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-74-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-72-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-70-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-68-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-66-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-64-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-60-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-59-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-56-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-54-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-52-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-48-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-46-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-44-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-42-0x0000000005220000-0x000000000527F000-memory.dmp

memory/2256-2105-0x0000000005410000-0x0000000005442000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5700-2118-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

memory/5700-2119-0x0000000005680000-0x0000000005686000-memory.dmp

memory/5700-2120-0x0000000005E00000-0x0000000006418000-memory.dmp

memory/5700-2121-0x00000000058F0000-0x00000000059FA000-memory.dmp

memory/5700-2122-0x0000000005820000-0x0000000005832000-memory.dmp

memory/5700-2123-0x0000000005880000-0x00000000058BC000-memory.dmp

memory/5700-2124-0x0000000005A00000-0x0000000005A4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr583329.exe

MD5 b741babeb563e6d5a5d4f71f3d011c29
SHA1 c2754296006c3d268f225f62b06c67ee3f89a5d7
SHA256 e1875c265784e475a294c6db069122ead3f46d731ba7aabc85453333ecd0158b
SHA512 544e732e585f0c21e98d3d23c345565e8d5bdf69608c48fcf8648c6c76f81d3a0a5b75bc62bc145dadac64a99524a37fb12c9c59ff2442b95cfe98a17be2f059

memory/2684-2129-0x0000000000770000-0x00000000007A0000-memory.dmp

memory/2684-2130-0x0000000002920000-0x0000000002926000-memory.dmp