Malware Analysis Report

2025-01-23 07:33

Sample ID 241104-q5a33atjgk
Target 3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff
SHA256 3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff

Threat Level: Known bad

The file 3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

Redline family

RedLine payload

Healer

Detects Healer an antivirus disabler dropper

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:50

Reported

2024-11-04 13:52

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe

"C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe

MD5 286d00fb8774d77afe60a360e7f4e638
SHA1 7a973b498926bd4ede517655cb99f300f5448613
SHA256 583bc816d0fc868a5ff89191c8596f4320d5c0745ae36aa877e33a23355723b1
SHA512 82b865e0276661fc757b441e1630d843bf973dcab65d0ea9aae6b90315f2a0e58d12b09cf6980afcb2e7f911550398025a528426be73115d66baf499bc8d7a27

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe

MD5 3caf74acb68fcc62c6dcc0dd5420869e
SHA1 dbc6b3a729425c24d73516cd0274339b9f1bb25e
SHA256 378104be760b6a5d2adbbd549c9490780cf44e88c6a668cddaee10b2407fedfb
SHA512 dc852a47eeb26c4396061f3bb725955657cb4d7d1a911fb6b23aebf1902803090e05bcd32bd0ab45ee6401403a0b15572e56ec03e46d83148276a2ba5539c666

memory/1596-14-0x00007FFA7BA83000-0x00007FFA7BA85000-memory.dmp

memory/1596-15-0x0000000000840000-0x000000000084A000-memory.dmp

memory/1596-16-0x00007FFA7BA83000-0x00007FFA7BA85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe

MD5 9043eaa2b512bb2be5f17eb770a0f8a1
SHA1 4dd199f5dabda70b804d0ebb36752e15a2c3d0ba
SHA256 c2e1703e3bc04b0354f429885401bedfdc56f9f65cb9727a804e5850397f0813
SHA512 9270acb905231ba870631c427c00ef0ee0fe924e306753ce4caa4dcef5d8b97c7a02849586b312efbd326887edc5f6dd67d5d7d1159a729a7fa804b7a2aff8a0

memory/776-22-0x0000000003B20000-0x0000000003B66000-memory.dmp

memory/776-23-0x0000000006090000-0x0000000006634000-memory.dmp

memory/776-24-0x0000000006690000-0x00000000066D4000-memory.dmp

memory/776-60-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-74-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-88-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-86-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-84-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-82-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-80-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-78-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-72-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-71-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-68-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-66-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-65-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-62-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-58-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-56-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-54-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-52-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-50-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-48-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-46-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-44-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-40-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-38-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-37-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-34-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-32-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-76-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-42-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-30-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-28-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-26-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-25-0x0000000006690000-0x00000000066CF000-memory.dmp

memory/776-931-0x0000000006730000-0x0000000006D48000-memory.dmp

memory/776-932-0x0000000006DD0000-0x0000000006EDA000-memory.dmp

memory/776-933-0x0000000006F10000-0x0000000006F22000-memory.dmp

memory/776-934-0x0000000006F30000-0x0000000006F6C000-memory.dmp

memory/776-935-0x0000000007080000-0x00000000070CC000-memory.dmp