Malware Analysis Report

2025-01-23 07:35

Sample ID 241104-q9qz3sznay
Target af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df
SHA256 af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df

Threat Level: Known bad

The file af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Healer

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:57

Reported

2024-11-04 14:00

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe
PID 1800 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe
PID 1800 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe
PID 3136 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe
PID 3136 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe
PID 3136 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe
PID 792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe
PID 792 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe
PID 792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe
PID 792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe
PID 792 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe
PID 3136 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe
PID 3136 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe
PID 3136 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe

"C:\Users\Admin\AppData\Local\Temp\af1b400c4d8b07b2e642b61dac0e1edb4ba3681ef725a57bfe776116f34619df.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba0925.exe

MD5 6fb5523286e28007ae541dff2ca0db7c
SHA1 0e1ccdc1747b266c96fc38a0e5b9f94069cf2dad
SHA256 77a26e898cd2def5131cd99026f7385734d21d72c2965a821a71f26e335066d1
SHA512 09c1e893861fa819952e5782751724b6ef4652de5289ddfb2586536757c0aa17205607471f5c7a23bed76422f93a25109d6d1142fd44fce2500bc4caef9bdd00

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba4939.exe

MD5 64a257a7d0fc1d5480d84b8ed7bd44df
SHA1 7cd8dc291b4f63c7722cb0b02e6a6fe1ad5a2175
SHA256 4a9048a1d6b09d3a853facb93e267ecad1bef9116dd877cf56352423109aa212
SHA512 31727e6a32d4f4ba207718e30d81b83eb02cbff964b9085f252f53c0a6ed20c81e337011fbff8bd4d119ddb7990381ff69cc7ad85749608b30e7320819f4452b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4939Pm.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2096-21-0x00007FFFABBB3000-0x00007FFFABBB5000-memory.dmp

memory/2096-22-0x0000000000B60000-0x0000000000B6A000-memory.dmp

memory/2096-24-0x00007FFFABBB3000-0x00007FFFABBB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h95Bl34.exe

MD5 7125a556a497573aa700949ee7d5743c
SHA1 633af8d0f7fc72c3fd02ffb8a2a58d6bde41da7c
SHA256 fbdca129280e5e29f199aa5625a02fd7e109e97eb303a7bab131d90512df4814
SHA512 5500aa76897f7b9ba1e47981092940fdb66ee8b7a4eaae637ec10b1b98e46ffaabf571bd8158fe02d2ea50cf94e705b519c6e8d1a0ad9446f8ef8c09de7ac2be

memory/2456-29-0x0000000004940000-0x000000000495A000-memory.dmp

memory/2456-30-0x00000000073D0000-0x0000000007974000-memory.dmp

memory/2456-31-0x0000000004B30000-0x0000000004B48000-memory.dmp

memory/2456-32-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-39-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-57-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-55-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-53-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-51-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-49-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-47-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-45-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-43-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-41-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-37-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-35-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-59-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-33-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/2456-60-0x0000000000400000-0x0000000002B03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icDfJ13.exe

MD5 1280aafb4e5289256d117f67cb976a29
SHA1 e33f625b0f9bd074641a89b4403ec2f1cae24ef5
SHA256 03efc3161d8c55d203649864da0da37792ba4de89f2385ac6483f77ddbbd0cab
SHA512 a9c730f887e5149a31bfdebafd3424ba06039cc180738db7632dfe242cf3a79edd989cf5139b70e5703887514b7c39acb6d3e8850a5a87a64830d4fdca311805

memory/2456-62-0x0000000000400000-0x0000000002B03000-memory.dmp

memory/4276-67-0x0000000004990000-0x00000000049D6000-memory.dmp

memory/4276-68-0x0000000007120000-0x0000000007164000-memory.dmp

memory/4276-70-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-92-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-100-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-98-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-96-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-94-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-90-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-88-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-86-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-84-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-82-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-80-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-78-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-76-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-74-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-102-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-72-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-69-0x0000000007120000-0x000000000715E000-memory.dmp

memory/4276-976-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/4276-975-0x00000000078D0000-0x0000000007EE8000-memory.dmp

memory/4276-977-0x0000000008070000-0x0000000008082000-memory.dmp

memory/4276-978-0x0000000008090000-0x00000000080CC000-memory.dmp

memory/4276-979-0x00000000081E0000-0x000000000822C000-memory.dmp