Malware Analysis Report

2025-01-23 07:33

Sample ID 241104-q6z4ks1dnl
Target e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7
SHA256 e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7

Threat Level: Known bad

The file e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer family

Redline family

RedLine

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:53

Reported

2024-11-04 13:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4736 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe
PID 4736 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe
PID 4736 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe
PID 1140 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
PID 1140 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
PID 1140 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe
PID 1140 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe
PID 1140 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe
PID 1140 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe

"C:\Users\Admin\AppData\Local\Temp\e30297f7e5be578a9d59e85471344142e0bbeb3939ec49300d75322de45d91f7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un355263.exe

MD5 24cbc64a1cb002b19e0cac53011a45b8
SHA1 4c506b57e3368fb13cde2f4a848120de5e75f9ea
SHA256 d18ae409287d91185915d932052c5a7b0e239819eaa9add9b0cc33df22b465e1
SHA512 1d1a2607e560ba3f4a216c4973243e2f7eb9af2305fa01f93cdc7bb4a9e2512407367c1a25e9f9d50989369cafd2e5efe56978993604916b0912d16d5a322c48

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0023.exe

MD5 27463a2931e8a6e9ec63e3db7f68bdd1
SHA1 59f19a376027a9802ddbdf0cc09d6c9431930d15
SHA256 3a9398dada925220c08513cca236da9fd3c235ff85c0e65fb3b1917dee6dea1b
SHA512 840fba736c1cbd768919a389d3817f55de605d574ef1c59c68185f57ceb9e3c9627510727c43fc221f430a05bb79e2ba96f34b0ef5587691db638ba8aef57ff8

memory/4872-15-0x0000000002E00000-0x0000000002F00000-memory.dmp

memory/4872-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/4872-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4872-18-0x0000000004A50000-0x0000000004A6A000-memory.dmp

memory/4872-19-0x0000000007140000-0x00000000076E4000-memory.dmp

memory/4872-20-0x00000000076F0000-0x0000000007708000-memory.dmp

memory/4872-46-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-48-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-43-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-40-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-38-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-36-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-34-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-32-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-30-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-28-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-26-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-24-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-22-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-21-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-44-0x00000000076F0000-0x0000000007702000-memory.dmp

memory/4872-49-0x0000000002E00000-0x0000000002F00000-memory.dmp

memory/4872-50-0x0000000002C60000-0x0000000002C8D000-memory.dmp

memory/4872-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4872-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/4872-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4919.exe

MD5 7ff96e4f98dcfeb94561597349eee69c
SHA1 9c93afcaed064ddfd6a3e22f0de4a02ff9e976fe
SHA256 c2333ba03da04867bb3a28c8dcc1d10bf88c675bb953d070614c5521933ce92b
SHA512 47fbbb3ecaf0197bd621fb31ec435ac09874c7c77aaedce757a5aef0da6cf66c78ee351186079d32a477ba812541516859799922dfad99a739dbfb761b4623b2

memory/4872-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

memory/2036-60-0x0000000004C60000-0x0000000004CA6000-memory.dmp

memory/2036-61-0x0000000007180000-0x00000000071C4000-memory.dmp

memory/2036-85-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-95-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-93-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-91-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-89-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-87-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-83-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-81-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-80-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-77-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-75-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-73-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-71-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-69-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-67-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-65-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-63-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-62-0x0000000007180000-0x00000000071BF000-memory.dmp

memory/2036-968-0x0000000007830000-0x0000000007E48000-memory.dmp

memory/2036-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/2036-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2036-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/2036-972-0x0000000008110000-0x000000000815C000-memory.dmp