Malware Analysis Report

2025-01-23 07:35

Sample ID 241104-rbt5hszncz
Target ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c
SHA256 ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c

Threat Level: Known bad

The file ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

RedLine payload

RedLine

Redline family

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 14:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 14:01

Reported

2024-11-04 14:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe
PID 3420 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe
PID 3420 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe
PID 1420 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe
PID 1420 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe
PID 1420 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe
PID 1420 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe
PID 1420 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe
PID 1420 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe

"C:\Users\Admin\AppData\Local\Temp\ceea9ebba0f8135525009be4720da56c8b68501bf33b2025dbb2d81567fb282c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un021502.exe

MD5 7c09dc27c1909cef2777ebc2b279527b
SHA1 45e11516e6643dcdd3bf905bd8a91a3762482eb6
SHA256 e7f777cdfa460e4cc69b6e2684f36d5314b4f9e454f587066a838ee1c4b90fc1
SHA512 a3b8ff1f75967e2edfe61f6c0c5deeeee8de59e7b84e9074c8a539b23540cefb539149ba168c9c1e3da9f6ac132eaa7023e1556ef4a07609d82a18628f67b208

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8017.exe

MD5 83f73c0fff675a7213207f0b2ec9d605
SHA1 73a041660ef3133405595738f5ebd6ea55c3908b
SHA256 704ead984d4addc73264838bcbac04b2af9b3bc684b30b5f21a920ea8e69111b
SHA512 10ee8aae74348a925499889bceb45fab373cebdd9519b9c1fa0dc0b7041db12fe4eaed0e5f0e20d35ed5ca665dca9733053fa41ef3f1d3587d116f5e113fa608

memory/4924-16-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

memory/4924-15-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/4924-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4924-18-0x0000000004990000-0x00000000049AA000-memory.dmp

memory/4924-19-0x0000000007130000-0x00000000076D4000-memory.dmp

memory/4924-20-0x00000000049E0000-0x00000000049F8000-memory.dmp

memory/4924-24-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-48-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-46-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-44-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-42-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-40-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-38-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-36-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-34-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-32-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-30-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-28-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-26-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-22-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-21-0x00000000049E0000-0x00000000049F2000-memory.dmp

memory/4924-49-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/4924-50-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

memory/4924-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4924-51-0x0000000000400000-0x0000000002B78000-memory.dmp

memory/4924-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1369.exe

MD5 81050f294b6309677fc4fff6cb4135cb
SHA1 6e022c7d92af39241d3220698adc39dfd0700630
SHA256 64ca64ee8f50a145e5f479109e823fa6ecf949d334fdbed000bca5fbaa7096f4
SHA512 4a8006d47bafe445090b04658898aaa490c1c31294675a5b4a6249f4cebc81c4b4e076082d0ec405cb88e5d72850add9eafe48d23695fba7db10cb19918cb9f8

memory/4924-54-0x0000000000400000-0x0000000002B78000-memory.dmp

memory/3552-60-0x0000000004920000-0x0000000004966000-memory.dmp

memory/3552-61-0x0000000004E50000-0x0000000004E94000-memory.dmp

memory/3552-75-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-95-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-93-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-91-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-89-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-87-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-85-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-83-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-81-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-79-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-77-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-73-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-71-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-69-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-67-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-65-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-62-0x0000000004E50000-0x0000000004E8F000-memory.dmp

memory/3552-968-0x00000000079E0000-0x0000000007FF8000-memory.dmp

memory/3552-969-0x0000000008000000-0x000000000810A000-memory.dmp

memory/3552-970-0x00000000050B0000-0x00000000050C2000-memory.dmp

memory/3552-971-0x0000000008110000-0x000000000814C000-memory.dmp

memory/3552-972-0x0000000008250000-0x000000000829C000-memory.dmp