Malware Analysis Report

2025-01-23 07:39

Sample ID 241104-q88thazmhx
Target cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368
SHA256 cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368

Threat Level: Known bad

The file cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Healer

Healer family

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:57

Reported

2024-11-04 13:59

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe
PID 4872 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe
PID 4872 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe
PID 2004 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe
PID 2004 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe
PID 2004 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe
PID 2004 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe
PID 2004 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe
PID 2004 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe

"C:\Users\Admin\AppData\Local\Temp\cddf92f109d0b48b7d7fb3c7a424623be643cb2ae2a3feeb5dbaec0f2de91368.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st006709.exe

MD5 b5358e924b1f5e831d0499355e445b4d
SHA1 86a6dbb2931d0863df71444beba43f8e26ea12c4
SHA256 910341b9744085533e0a070fce0b1b747f97f76c6f38045cb9dfda3bcc3f85fe
SHA512 7d7f95a7e9cac8ead42a5565ab3ec8751b50699e6ba57e0410f6a32e7c87b43d6dc2e37c7471884c6efee4632788317aa2aa95eaea8088de23a1adcb89bd9ef5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04122798.exe

MD5 2b71f4b18ac8214a2bff547b6ce2f64f
SHA1 b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256 f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA512 33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

memory/4444-14-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/4444-15-0x0000000002050000-0x000000000206A000-memory.dmp

memory/4444-17-0x0000000004BA0000-0x0000000005144000-memory.dmp

memory/4444-16-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4444-18-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4444-19-0x0000000002440000-0x0000000002458000-memory.dmp

memory/4444-29-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-47-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-45-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-43-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-41-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-39-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-37-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-35-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-33-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-31-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-27-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-25-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-23-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-21-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-20-0x0000000002440000-0x0000000002453000-memory.dmp

memory/4444-48-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4444-49-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/4444-50-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4444-52-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp956591.exe

MD5 936efdf88e92c221a62e18fae00f517f
SHA1 77aa45464e97d367b75ba39d7340fed5039d00e5
SHA256 3f57f27351c33bf50e4ad67558516e3b5bfe8e59b8f6d12543edd8180073dd73
SHA512 972c5ca32e84476f0bf9b28be1340f722f5d8eaf4f06a3f4ca2dc6676b16d2d6b8969cbb602606d288e0ae6ff13731bc3405a5fe3e418b9c0ab70435cd6b3fe1

memory/4692-57-0x0000000004A80000-0x0000000004ABC000-memory.dmp

memory/4692-58-0x0000000004B20000-0x0000000004B5A000-memory.dmp

memory/4692-62-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-68-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-94-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-92-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-88-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-86-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-84-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-83-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-80-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-78-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-76-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-74-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-73-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-66-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-64-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-90-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-70-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-60-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-59-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/4692-851-0x0000000009D90000-0x000000000A3A8000-memory.dmp

memory/4692-852-0x00000000072D0000-0x00000000072E2000-memory.dmp

memory/4692-853-0x000000000A3B0000-0x000000000A4BA000-memory.dmp

memory/4692-854-0x0000000007300000-0x000000000733C000-memory.dmp

memory/4692-855-0x000000000A4F0000-0x000000000A53C000-memory.dmp