Malware Analysis Report

2025-04-13 23:56

Sample ID 241104-zmpyyaxbkh
Target 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb
SHA256 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb
Tags
healer redline lulsa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb

Threat Level: Known bad

The file 9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb was found to be: Known bad.

Malicious Activity Summary

healer redline lulsa discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

Healer

Redline family

RedLine payload

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:50

Reported

2024-11-04 20:52

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe
PID 3164 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe
PID 3164 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe
PID 4616 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe
PID 4616 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe
PID 4616 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe
PID 4616 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe
PID 4616 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe
PID 4616 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe

"C:\Users\Admin\AppData\Local\Temp\9759d6116e588c0c8f3878795b0545932b019351620fd3dd12e64ec7385c7aeb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1501834.exe

MD5 3d2f4ef876bd909c0b6d75673702d38d
SHA1 707097866b5af1bf4db16f389d085042fbe43b82
SHA256 9ddc432228d4ba9e10ec94b5f782b97320bc748884abc0e89fdc44c30a4f7b60
SHA512 9f5a899f3c73aac480c50c2ee5bd369183e35686a63e4e92b17bd9847405f3549bbc2fb3fb1ac62eaa8b878fe4047bde409f388052264b4ff0a83b333d1dde29

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4594391.exe

MD5 e8718337779b9a242b1d796090552450
SHA1 9357adfb8e3c0a9c52d7cca79dcca38d855d289b
SHA256 8fa0ce732399bf674d7b33cc6ad6762fa92aaaaead6e419c73361cf200f2b7b4
SHA512 316d6415e2d6a91f30f7da357c4ac0604ae61523ca51c36b4bf33af8f06ffed68ba1754dd98be5bfd9dafd8f34388c56782fb4d4d922f3fb838bd6422fa6e0fb

memory/372-14-0x000000007411E000-0x000000007411F000-memory.dmp

memory/372-15-0x0000000000960000-0x000000000097A000-memory.dmp

memory/372-16-0x0000000074110000-0x00000000748C0000-memory.dmp

memory/372-19-0x0000000074110000-0x00000000748C0000-memory.dmp

memory/372-18-0x00000000021D0000-0x00000000021E8000-memory.dmp

memory/372-17-0x0000000004C70000-0x0000000005214000-memory.dmp

memory/372-25-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-23-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-47-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-45-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-43-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-41-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-39-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-37-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-35-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-33-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-21-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-20-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-31-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-29-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-27-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/372-48-0x0000000074110000-0x00000000748C0000-memory.dmp

memory/372-49-0x000000007411E000-0x000000007411F000-memory.dmp

memory/372-50-0x0000000074110000-0x00000000748C0000-memory.dmp

memory/372-52-0x0000000074110000-0x00000000748C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9632447.exe

MD5 65a87881f0802e85c5c2ce4122508680
SHA1 899fe5a301af18797cd8ea6aaff94299733f1934
SHA256 7ec8e27669397c45b6d132adfef1b023fa60deacdc5bbf26dde973224a5a7090
SHA512 720bd6ef2681752e29b3094ba6e9d38c206a69bdf3546fc6bf5e056aae7fca1216ece7c5f649aaa5aa56f2d3d77593a972628428ed50d88909c39a6fa5691b84

memory/5028-56-0x0000000000280000-0x00000000002B0000-memory.dmp

memory/5028-57-0x0000000000B30000-0x0000000000B36000-memory.dmp

memory/5028-58-0x0000000005250000-0x0000000005868000-memory.dmp

memory/5028-59-0x0000000004D40000-0x0000000004E4A000-memory.dmp

memory/5028-60-0x00000000049F0000-0x0000000004A02000-memory.dmp

memory/5028-61-0x0000000004C70000-0x0000000004CAC000-memory.dmp

memory/5028-62-0x0000000004CB0000-0x0000000004CFC000-memory.dmp