Malware Analysis Report

2025-01-23 05:56

Sample ID 241104-sqq7vasakh
Target eaacc84af8dd8c079f4c808262866d54ace4c0f52a739c472a79d3e7b275901a
SHA256 eaacc84af8dd8c079f4c808262866d54ace4c0f52a739c472a79d3e7b275901a
Tags
healer redline dubka discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaacc84af8dd8c079f4c808262866d54ace4c0f52a739c472a79d3e7b275901a

Threat Level: Known bad

The file eaacc84af8dd8c079f4c808262866d54ace4c0f52a739c472a79d3e7b275901a was found to be: Known bad.

Malicious Activity Summary

healer redline dubka discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Healer

RedLine

Modifies Windows Defender Real-time Protection settings

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 15:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 15:20

Reported

2024-11-04 15:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe
PID 4308 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe
PID 4308 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe
PID 3596 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe
PID 3596 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe
PID 3596 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe
PID 3592 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe
PID 3592 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe
PID 3592 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe
PID 4500 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe
PID 4500 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe
PID 4500 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe
PID 4500 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe
PID 4500 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe

"C:\Users\Admin\AppData\Local\Temp\ab7712d2c658df3e092b95b0f39a02683bdfe0c942295dfd4cc46a018f93b542.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\guU31FE.exe

MD5 37596e50a8cf71e521bc6deb5c394374
SHA1 5bd8ae91c992962c36cc7b43eb112d06d549a7be
SHA256 95c6c76d381e718f33a51c987bd9e048dfe73592978034a0075b20bd36c13cef
SHA512 186b7127bf8d9b086f63cac760bf4ebda83a208b9cbbed15e8c6840a1b3bcbb358f9247be19b215c90f35f50e041f3254993158de5cdf815bd0abd08d16f7d34

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gti72nE.exe

MD5 d2d2a219b3dc20d3afecfe9cfe99179b
SHA1 ab64b6bd396d642108e98ee49c208ce348486ee6
SHA256 2c38ef0be2a5a8877793cb78b0a6ae9533159b9bfb18ea1295c80766242fb0db
SHA512 9a3b7ce274ce41b43efb203c8081c9f57f774279ea7cb3458615c1d78fce18185566bcc3072a207529ae6ee8e73196ad970e5d15a18daf0f4b98d238e19b2a31

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJK09bI.exe

MD5 48a3e2d52d280dfac168c37513dc789e
SHA1 a7ead391be5e31126e0923af90f69d142cc55a6a
SHA256 b8703ffe9bf405e5b617030963a6876c789fe256d8528dfca6e096a3e1d8f9aa
SHA512 a195a462ad994599aa571658b58afd95c094d753a14dbc6e43377050ca0c0f3e49864bc78677d04ce6972af1fc1c85774f7400c47d8890bd2f1ac68d7dcb5e19

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\api11.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4456-28-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beD20MI.exe

MD5 dd0c9e110c68ce1fa5308979ef718f7b
SHA1 473deb8069f0841d47b74b7f414dacc6f96eca78
SHA256 dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3
SHA512 29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

memory/4836-33-0x0000000000540000-0x0000000000572000-memory.dmp

memory/4836-34-0x00000000054E0000-0x0000000005AF8000-memory.dmp

memory/4836-35-0x0000000005020000-0x000000000512A000-memory.dmp

memory/4836-36-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/4836-37-0x0000000004FB0000-0x0000000004FEC000-memory.dmp

memory/4836-38-0x0000000005130000-0x000000000517C000-memory.dmp