Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q5plfszhqc
Target cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459
SHA256 cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459

Threat Level: Known bad

The file cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Redline family

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:50

Reported

2024-11-04 13:53

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe
PID 3680 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe
PID 3680 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe
PID 2036 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe
PID 2036 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe
PID 2036 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe
PID 5096 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe
PID 5096 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe
PID 5096 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe
PID 5096 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe
PID 5096 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe

"C:\Users\Admin\AppData\Local\Temp\cfd131a850cb7a9398062dcb81a59ad52e73036160016e13d6f54f7a9f59d459.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSf3156.exe

MD5 b135c5aafc6f698d3819209c1998cbcc
SHA1 54b3000f8b4582dbb2aa954274031282b5815df0
SHA256 7c9eef205b608b3216b932dd6a09414e5c64a3b21ae947d73f9d8fa9e8f5b873
SHA512 6abe9bb3640fd548c14a71a11d5a6124de1b5fdd2f1a5047e0e772465574c6e8538b9c3a9760b33253ec8d53f458f94b943ab93cc0177e6f3d31c3bdf7b95d1a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zixe2189.exe

MD5 1f2c684ecbc4ef0453a865262c66f167
SHA1 7329ce675fd6e3b96cf0fb63baac68d4e3e036fb
SHA256 ad67265cd1bf45edafb01f0f4586700337e24ded4ccce461cd9c10e983af7180
SHA512 3d6faac6dbd9bc2c8e4de5ad79e342db4ca6a383344ea4eac11b92adf142cae7d8d28f5d2a457b96aa7f6729c0d9d4e0876be220335539f4556f14a2ac5a2a73

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it145162.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2076-21-0x00007FFDEECB3000-0x00007FFDEECB5000-memory.dmp

memory/2076-22-0x0000000000F00000-0x0000000000F0A000-memory.dmp

memory/2076-23-0x00007FFDEECB3000-0x00007FFDEECB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr822882.exe

MD5 2484f7748a014489a3348883e7b48b64
SHA1 6503800588d01d32bdf38b5a0af633d0549314e0
SHA256 8a33f8d7fdefd5bb3e437d12494ef58df6d433d46e4ed23e1a8ba4953724784b
SHA512 74fba93c01f1eaca433144407a808d86c5504f6c60aabf23cf20095d763887c368c97a381da8013ef0562bbccae494be80022f4404a12b930c8803210c9ed40a

memory/1900-29-0x0000000007140000-0x000000000717C000-memory.dmp

memory/1900-30-0x0000000007180000-0x0000000007724000-memory.dmp

memory/1900-31-0x0000000007770000-0x00000000077AA000-memory.dmp

memory/1900-37-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-39-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-85-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-83-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-95-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-93-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-91-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-89-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-87-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-81-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-79-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-77-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-75-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-73-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-69-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-67-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-65-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-63-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-61-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-59-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-57-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-53-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-51-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-49-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-47-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-45-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-43-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-42-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-71-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-55-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-35-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-33-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-32-0x0000000007770000-0x00000000077A5000-memory.dmp

memory/1900-824-0x0000000009C80000-0x000000000A298000-memory.dmp

memory/1900-825-0x000000000A340000-0x000000000A352000-memory.dmp

memory/1900-826-0x000000000A360000-0x000000000A46A000-memory.dmp

memory/1900-827-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/1900-828-0x0000000006C70000-0x0000000006CBC000-memory.dmp