Malware Analysis Report

2025-01-23 07:35

Sample ID 241104-q7z5zatkbn
Target f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9
SHA256 f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9
Tags
healer redline disa lada discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9

Threat Level: Known bad

The file f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9 was found to be: Known bad.

Malicious Activity Summary

healer redline disa lada discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

Healer

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:54

Reported

2024-11-04 13:57

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe
PID 3128 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe
PID 3128 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe
PID 3608 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe
PID 3608 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe
PID 3608 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe
PID 2984 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe
PID 2984 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe
PID 2984 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe
PID 2984 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe
PID 2984 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe
PID 5108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe C:\Windows\Temp\1.exe
PID 5108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe C:\Windows\Temp\1.exe
PID 5108 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe C:\Windows\Temp\1.exe
PID 3608 wrote to memory of 6080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe
PID 3608 wrote to memory of 6080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe
PID 3608 wrote to memory of 6080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe

"C:\Users\Admin\AppData\Local\Temp\f719ceb68098a8d8580528cb508c2b61fde8080d3b5c3df94fc85c4f91e3faf9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp
RU 185.161.248.90:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zizl9018.exe

MD5 5749b00ca3371ac91b363f0257f46775
SHA1 da346656b33d15768baeba4d9edf6bb7ffcd5ecf
SHA256 9fd934687874e0106953aca3327240836d26267ba9fe9893a16aa31be92492b3
SHA512 75ce8095e64cb026a0fcf6d363c7e1b192e0d269d4ce985e2170daae0a928b8b2abf7e0c376db8935420bbe0287954a1c82b2f1e5221333eef7f2a1f8be04f15

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziaj9807.exe

MD5 5e4f19173cb4571f6f94ebdc2c613bd7
SHA1 7ec2ab34fb0f4450bb427d07e2c27e3bd21b8b37
SHA256 f99f59cc65b63dfcdf427cd007e89e0c1fd8dc5b1670451d5ae37cdaffb6a5ac
SHA512 1276fc8b40e91c249250b11e9e6882192ea6a8ed2720bd21502e36e4ecc4616727e0d5e50082cf2571c66346d252811579086acd524bb6eabcc65daae7717481

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it937518.exe

MD5 4550c759e930c94020888cdcfed8085f
SHA1 9b035d7e7b3c41a3856bc7c4d2465b16ed6c584d
SHA256 8faf4df83e6c0ff8ba8765fccb128886c9ba09639e56e739283650cd620307dc
SHA512 12c7b6b7847ae75488741e79ad8b29b1d2f79e7c50fb9f3fa5a30f09061bbce095ef83439df500a9d74f5716ecfb22218d59db64c02fedead100c322749f392c

memory/868-21-0x00007FFA48DC3000-0x00007FFA48DC5000-memory.dmp

memory/868-22-0x0000000000D50000-0x0000000000D5A000-memory.dmp

memory/868-24-0x00007FFA48DC3000-0x00007FFA48DC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr159105.exe

MD5 648b197f84cfe41c24ff88fedc2376dd
SHA1 ffe00a58d67516766e1107b188b842a35659c5b9
SHA256 b34210c7b961cdd0e4f2fa7aec906321a33ff64f14fe70c88cc8eb177f15035d
SHA512 123a1676ad7a41cede176697490d890ce7c9c087af76a54012b6bac19eeaeac9bbf4b92b7d45e1c16cdff2a2614fb9df83277f6d5469365fd22c4bda0940de81

memory/5108-29-0x0000000002830000-0x0000000002898000-memory.dmp

memory/5108-30-0x0000000004F60000-0x0000000005504000-memory.dmp

memory/5108-31-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/5108-37-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-49-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-95-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-93-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-91-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-89-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-87-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-85-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-81-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-79-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-77-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-75-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-73-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-71-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-69-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-67-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-65-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-63-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-59-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-57-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-56-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-53-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-51-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-47-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-45-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-43-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-41-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-39-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-35-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-83-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-61-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-33-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-32-0x0000000005550000-0x00000000055B0000-memory.dmp

memory/5108-2174-0x0000000005760000-0x0000000005792000-memory.dmp

C:\Windows\Temp\1.exe

MD5 03728fed675bcde5256342183b1d6f27
SHA1 d13eace7d3d92f93756504b274777cc269b222a2
SHA256 f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA512 6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

memory/2484-2188-0x0000000000670000-0x000000000069E000-memory.dmp

memory/2484-2189-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp071386.exe

MD5 69e0896d5bf96cc333493b6e20aa8990
SHA1 64933812743bdd317e0bf918c8b4a35cf1e9b09e
SHA256 5556c2cd6037f436712245cc11cf572e50d87b11b55ac24a0815d069e7267724
SHA512 eab8c1c2fcad3a0cd83951074401d8367037796f4a6a90b98d0544f1d63b132d1732381c831633ba6f7976627969025a7a84d1372410f4be0aa3f3dbec8cf982

memory/6080-2193-0x0000000000DF0000-0x0000000000E20000-memory.dmp

memory/6080-2194-0x0000000002F90000-0x0000000002F96000-memory.dmp

memory/2484-2195-0x0000000005670000-0x0000000005C88000-memory.dmp

memory/6080-2196-0x00000000058B0000-0x00000000059BA000-memory.dmp

memory/2484-2197-0x0000000004EF0000-0x0000000004F02000-memory.dmp

memory/6080-2198-0x00000000057E0000-0x000000000581C000-memory.dmp

memory/2484-2199-0x00000000050A0000-0x00000000050EC000-memory.dmp