Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-zmhvmazkfr
Target 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929
SHA256 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929
Tags
healer redline dark discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929

Threat Level: Known bad

The file 24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929 was found to be: Known bad.

Malicious Activity Summary

healer redline dark discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:49

Reported

2024-11-04 20:52

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe
PID 1368 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe
PID 1368 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe
PID 2492 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe
PID 2492 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe
PID 2492 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe
PID 3516 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe C:\Windows\Temp\1.exe
PID 3516 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe C:\Windows\Temp\1.exe
PID 2492 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe
PID 2492 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe
PID 2492 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe
PID 1368 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe
PID 1368 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe
PID 1368 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe

"C:\Users\Admin\AppData\Local\Temp\24f31b784e85e60cc7f6b4075f12081688d843f1955e5d11560d1d8b3f62a929.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st594663.exe

MD5 1d842553e51f80edf832e9abede2e306
SHA1 d31300633a18eb597c8e82909a1d5f137df33e51
SHA256 c9197720ab3e75fb70159a47632f24329343902448ba826c9439d0c2f56a34fb
SHA512 07a8ccf79800266d2559f0033a2690e47ebc2b9a1e8ba9e509fed100a98483af100f7296dd8772b5ce831a0f950e9ae4324ae9be399dbc1ad19e2f5f86e1239f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\42351937.exe

MD5 b354addd2cd269d32a23a62cefdefba3
SHA1 1ab89956f494c9aa0ac3633469680f0ea4217121
SHA256 e08cd00a91818d34a81fc85ef543c178b0a56e28bea32c3df5cc882b2c45851e
SHA512 72d8f1c0db60965338884240197d806d4870c5e2beb01f21fff91b84936a2db4ccf1f16b1ab20a0432a780729fdb6769eef916e685d165bb4561835c063e9ef8

memory/3516-14-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

memory/3516-15-0x00000000025C0000-0x0000000002618000-memory.dmp

memory/3516-17-0x0000000004B30000-0x00000000050D4000-memory.dmp

memory/3516-16-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/3516-18-0x00000000050E0000-0x0000000005136000-memory.dmp

memory/3516-19-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/3516-39-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-83-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-316-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/3516-81-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-79-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-77-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-75-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-73-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-71-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-69-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-65-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-63-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-61-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-59-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-57-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-55-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-53-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-51-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-49-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-47-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-45-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-43-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-41-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-37-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-35-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-34-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-31-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-29-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-27-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-25-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-23-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-21-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-20-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-67-0x00000000050E0000-0x0000000005131000-memory.dmp

memory/3516-2151-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/3516-2149-0x0000000005430000-0x000000000543A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3516-2164-0x0000000074AA0000-0x0000000075250000-memory.dmp

memory/3968-2163-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp201760.exe

MD5 f9639bc0419307c14f4fa1331bbfa2e4
SHA1 54ef89f866a699996f4fcb08bbfc8220eb59da15
SHA256 7b5ca53bed811dc6ef1ffd0939250a7ea864d4dad763ea84f8e6fcc1205bdc92
SHA512 0e315ea0cf2e223e1172bb4fffe74facd814a685e02ce1e4a617295052cac35c2ef098c89699a5d7234488989e2bf9cd5f986db33dc3b016b1e02702b1579d88

memory/4660-2169-0x0000000002400000-0x0000000002468000-memory.dmp

memory/4660-2170-0x0000000002B50000-0x0000000002BB6000-memory.dmp

memory/4660-4317-0x0000000002C60000-0x0000000002C92000-memory.dmp

memory/4660-4318-0x00000000057B0000-0x0000000005842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934867.exe

MD5 d020e9f55b92d4bf1c29e21547c99753
SHA1 19553c26d3db4f29fcb6a446a5095e709a09a30d
SHA256 86cad0bf5193925361f58cfffbb0e590c5c3e8e87808e93590c0bbeac140259f
SHA512 6dd59762fecd32ce72ded16b8d55be8f816a75facf44187ccdc1f89d7e28c0359d79d713d2b260fae3988ccd1686bea628c065ca0478f43dda1bb7aad772bc5d

memory/4524-4324-0x0000000000E50000-0x0000000000E80000-memory.dmp

memory/4524-4325-0x0000000001650000-0x0000000001656000-memory.dmp

memory/4524-4326-0x0000000005F90000-0x00000000065A8000-memory.dmp

memory/4524-4327-0x0000000005A80000-0x0000000005B8A000-memory.dmp

memory/4524-4328-0x0000000005700000-0x0000000005712000-memory.dmp

memory/4524-4329-0x0000000005970000-0x00000000059AC000-memory.dmp

memory/4524-4330-0x00000000059C0000-0x0000000005A0C000-memory.dmp