Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q5h4ns1dlq
Target 7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65
SHA256 7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65
Tags
healer redline diza norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65

Threat Level: Known bad

The file 7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65 was found to be: Known bad.

Malicious Activity Summary

healer redline diza norm discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Healer family

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:50

Reported

2024-11-04 13:53

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe
PID 1624 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe
PID 1624 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe
PID 1624 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe
PID 1624 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe
PID 1624 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe
PID 1696 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe C:\Windows\Temp\1.exe
PID 1696 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe C:\Windows\Temp\1.exe
PID 1696 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe C:\Windows\Temp\1.exe
PID 1736 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe
PID 1736 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe
PID 1736 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe

"C:\Users\Admin\AppData\Local\Temp\7d6483a955dfeeb4c3531daa9cf10b580e973532ee399ef8d48c567d46feed65.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZo1729.exe

MD5 5cfc04aeff2e56f90f52aeb4240fbc59
SHA1 5c5260818c3c3617a191ec8754a62b538540354e
SHA256 b0bcff5d3b71d427cce6b9ef271bf2fd381108a90a2fe99f991c435d9dc8a92d
SHA512 4df89676b83e22bc828e5c9c292dc588d36364f193b6ee503c00c5debdd939a0601baa5b501a97278eb0208971e3da8634b9fa6c6b35124c3ce074d1d27bf0c5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr433808.exe

MD5 df7743a52eabb10beb89f121c451c7de
SHA1 03f59df7b260f65e5d209d1ccbe537209d240fbf
SHA256 5191451ad089841c225d9d1315b388a6905e512ef4071dd6b396b6edd2060588
SHA512 0d03920c58cebac05c93560e586844e2756babb63f2ee4946d14a80adbde201eaf24e8e7aa334f27af0cbb596eb531f8cbf73c5c6507c6f8d87336bb0e08f638

memory/4440-15-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

memory/4440-14-0x00007FF995293000-0x00007FF995295000-memory.dmp

memory/4440-16-0x00007FF995293000-0x00007FF995295000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku051073.exe

MD5 07eabae6046fbd8bf9960bb73c003fd2
SHA1 3c1950cd5025b420fdf868d8f0c6ad7319897710
SHA256 3cf9a8f3fb034ca37b351f8e9d795f8ab6036afdb04f73ac659954849abdf3df
SHA512 5c74df4b4becb0d53b294709751e7e062bddfcda296402c179c9bc8648500ce0add4cef18933620800cba3d07758643690a2b76230ab4b9147954cae4ae6d187

memory/1696-22-0x0000000004BC0000-0x0000000004C26000-memory.dmp

memory/1696-23-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/1696-24-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/1696-34-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-42-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-88-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-86-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-84-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-82-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-80-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-78-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-76-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-74-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-72-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-70-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-68-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-67-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-64-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-62-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-60-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-56-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-54-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-52-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-50-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-48-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-46-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-44-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-40-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-38-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-36-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-33-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-30-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-28-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-58-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-26-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-25-0x00000000051E0000-0x000000000523F000-memory.dmp

memory/1696-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/932-2118-0x00000000006E0000-0x0000000000710000-memory.dmp

memory/932-2119-0x0000000007350000-0x0000000007356000-memory.dmp

memory/932-2120-0x00000000055F0000-0x0000000005C08000-memory.dmp

memory/932-2121-0x0000000005120000-0x000000000522A000-memory.dmp

memory/932-2122-0x0000000005050000-0x0000000005062000-memory.dmp

memory/932-2123-0x00000000050B0000-0x00000000050EC000-memory.dmp

memory/932-2124-0x0000000005230000-0x000000000527C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr999420.exe

MD5 99056cc8b8e031e0b6ba41bb9d2aa618
SHA1 48ba05013cdf437d592eff9a4db15e1cfae9a0b5
SHA256 a5050b29a39f8996dadfe5663ea5ea7f903e2f9c517236c88bcbc04343e4295f
SHA512 b7dfa52a46c74f997b67d7205d09aaeb417a0abf029e2d22557446a1aa6b14048b3664ef6d9ade23029d101a7778a27368a4aa160ae226d8217fd9c6e5069919

memory/856-2129-0x0000000000B70000-0x0000000000B9E000-memory.dmp

memory/856-2130-0x0000000005350000-0x0000000005356000-memory.dmp