Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q3kvgs1djn
Target 7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6
SHA256 7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6

Threat Level: Known bad

The file 7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Healer family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:47

Reported

2024-11-04 13:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe
PID 2216 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe
PID 2216 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe
PID 2080 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe
PID 2080 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe
PID 2080 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe
PID 2080 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe
PID 2080 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe
PID 2080 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe
PID 628 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe C:\Windows\Temp\1.exe
PID 628 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe C:\Windows\Temp\1.exe
PID 628 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe C:\Windows\Temp\1.exe
PID 2384 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe
PID 2384 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe
PID 2384 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe

"C:\Users\Admin\AppData\Local\Temp\7c93aabd0efbcc246097976eaa2a8605d24d06bddaf3353a28ededa90532b7f6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un628940.exe

MD5 0374713f9e2d86dddb2a95362244f5bd
SHA1 ec6e549ef52409fead28942497a92a4e9617cce7
SHA256 4af30712d9eac0550e9ab2809c86b7270367c1dfdeeeba60d73d8c65aa4e61e2
SHA512 cd83ac73ba43b02b3c55d61a25167b2c652c92685a0befdcba31dabc17e263a106e8f0a7cc72200a2c3e1eeb3d1c7e6924e97ec306186e9e362bf6161b9ee9ea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129280.exe

MD5 f3c6f9cd0eb470b884277d33472f3e8b
SHA1 be28e1203c251bdd5da888edd045328c7391f311
SHA256 0511dabe1b849aa51116b7dfbcc58813337c5c707a973faf4ea7d8360dd4e499
SHA512 13029c2d498b6218e2ac867a6d6670ff96bf0edeb2d42c19aa32a75208c052dbc12e7a3209c9db2b9243b58018d5484e5238ff108a17a89a477dd04fab29a2e7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr611673.exe

MD5 2d7a37f3711ebdae8b7c28383b9b1813
SHA1 f7b4c48f4a51167a1be0582c3deaa4fb9f940dbd
SHA256 48a0262b823a6a96abb6b22021d49ddf1e94b3fb7b66c3beca29a1069c01b597
SHA512 b8fafc2278cb46f3459bc65edf6034b4804f7eb358ef42f2ac6c3fdfa1af015bbf73dc6e3c61b3bbe8cb6b05871d56617db3c58b859baef517bf38db649822b8

memory/4376-22-0x00000000026B0000-0x00000000026CA000-memory.dmp

memory/4376-23-0x0000000004EB0000-0x0000000005454000-memory.dmp

memory/4376-24-0x00000000027B0000-0x00000000027C8000-memory.dmp

memory/4376-46-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-38-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-32-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-25-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-28-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-26-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-52-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-50-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-48-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-44-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-43-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-40-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-36-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-34-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-30-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/4376-53-0x0000000000400000-0x000000000080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu917964.exe

MD5 91f995f1e0cbceca3c72fe043fb273b0
SHA1 733eda12acdaab1523cb6bfc636e8a0f62d2b368
SHA256 a4dc8d039c008a1dd6af2e98bace9eae1b33d57e1c8a042de40d11d75dc43487
SHA512 b860230878082934c298a6c4b771bea4a4f4b6c49f05882ba9eb0f2b05e4055fe798c2411e4c759d8f355b719ef5d8e5784770d92c5bd3a6f1bf7800ac48492f

memory/4376-55-0x0000000000400000-0x000000000080A000-memory.dmp

memory/628-60-0x00000000027E0000-0x0000000002848000-memory.dmp

memory/628-61-0x0000000002A60000-0x0000000002AC6000-memory.dmp

memory/628-75-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-81-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-95-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-93-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-91-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-89-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-87-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-83-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-79-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-77-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-73-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-71-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-69-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-67-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-65-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-86-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-63-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-62-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/628-2204-0x0000000005050000-0x0000000005082000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/2452-2218-0x00000000001C0000-0x00000000001EE000-memory.dmp

memory/2452-2219-0x0000000006E70000-0x0000000006E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk475650.exe

MD5 ecf6278fff5f7f8e4b35dd4d7c537fc1
SHA1 8ff759ec9f150aac7685256bcc9876d702a80b94
SHA256 1dad51dea28c236b16f053ebccf172655b4dab5f493e870bf23094bda3b85c6c
SHA512 741ec5bf67adac7909acd0f87b745309ba7ffe5931eda6712d515c91c91a8813c95d46e8855872b39f6bffb919f2dc1c090a0f9a5550aaccd60f3299c36e3907

memory/4048-2223-0x0000000000080000-0x00000000000B0000-memory.dmp

memory/4048-2224-0x0000000002370000-0x0000000002376000-memory.dmp

memory/4048-2225-0x0000000005090000-0x00000000056A8000-memory.dmp

memory/4048-2226-0x0000000004B80000-0x0000000004C8A000-memory.dmp

memory/2452-2227-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2452-2228-0x0000000004B90000-0x0000000004BCC000-memory.dmp

memory/2452-2229-0x0000000004D10000-0x0000000004D5C000-memory.dmp