Malware Analysis Report

2025-01-23 06:42

Sample ID 241105-2lv5nssphr
Target 4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29
SHA256 4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29

Threat Level: Known bad

The file 4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

Detects Healer an antivirus disabler dropper

RedLine

Healer family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 22:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 22:40

Reported

2024-11-05 22:43

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe
PID 1460 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe
PID 1460 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe
PID 1236 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe
PID 1236 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe
PID 1236 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe
PID 1236 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe
PID 1236 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe
PID 3456 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe C:\Windows\Temp\1.exe
PID 3456 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe C:\Windows\Temp\1.exe
PID 3456 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe C:\Windows\Temp\1.exe
PID 1460 wrote to memory of 5232 N/A C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe
PID 1460 wrote to memory of 5232 N/A C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe
PID 1460 wrote to memory of 5232 N/A C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe

"C:\Users\Admin\AppData\Local\Temp\4b552bc58aeea8fe3bac146277ca39628923a119b17e80caa52cd682e6245b29.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyG3823.exe

MD5 42c2ca143040058720b4b58f8ba067e8
SHA1 a692b17fc02d209ab7e0c4a23bd18514aee783e8
SHA256 a8f6eb0e6e76629ca2f885249fd4b6fc6bda760291bc0875b02a41ff0dd08dbb
SHA512 c52e335d52ef3f1a8ca97186fb635724f9814cde1af7dcfe4d95a09b8014d8b002b96f7f304f7429fc4bf6e8688b440fe340062fb0b4ed4d5dc73a2ac4979476

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr797357.exe

MD5 dd996c85fd79533bafec214bb6ac1638
SHA1 4a9df29e2d1aac38a4d341663f9a88b05f0c06f0
SHA256 30d9d27734107c96c1ff9ebcf85aeac6394dbdd4d37310fbb0fb836d6ad73aeb
SHA512 b6055f92f3b2feef3c0de11f4fb9377449f9e46314d2f274b72c8280da17430d663bd1934298e2c4b97c03ae9a006243e7530dd9d6a27e5947b3ceef47a19a56

memory/1600-14-0x00007FFAE25E3000-0x00007FFAE25E5000-memory.dmp

memory/1600-15-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/1600-16-0x00007FFAE25E3000-0x00007FFAE25E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku944517.exe

MD5 81aea3c83dc04deb2545dbb132086479
SHA1 c4a486c9212233e4e9deea9132b75c6b76ed8ac4
SHA256 8bbbef91cd669ec2d5523bcb00a7afee5e207c09b9dc8acb9efb7cd12505679e
SHA512 2640c10e7dc2eaebd50e7ec8a711a2507e9029a5bf39fba4a867078e038d5f800ee76c9b461c06d336bb7294af5cbd8ed8985bceaf330456e75b5186d8f5ee49

memory/3456-22-0x0000000004A60000-0x0000000004AC6000-memory.dmp

memory/3456-23-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/3456-24-0x0000000005210000-0x0000000005276000-memory.dmp

memory/3456-38-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-42-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-88-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-86-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-84-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-82-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-78-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-76-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-74-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-70-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-68-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-66-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-64-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-62-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-58-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-56-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-54-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-52-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-48-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-46-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-44-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-40-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-36-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-34-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-32-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-30-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-28-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-80-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-72-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-60-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-50-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-26-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-25-0x0000000005210000-0x000000000526F000-memory.dmp

memory/3456-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4948-2118-0x0000000000C20000-0x0000000000C50000-memory.dmp

memory/4948-2119-0x0000000002E10000-0x0000000002E16000-memory.dmp

memory/4948-2120-0x0000000005C10000-0x0000000006228000-memory.dmp

memory/4948-2121-0x0000000005700000-0x000000000580A000-memory.dmp

memory/4948-2122-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/4948-2123-0x0000000005630000-0x000000000566C000-memory.dmp

memory/4948-2124-0x0000000005670000-0x00000000056BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr901387.exe

MD5 e79db817a6b49aa6f4c3a1ce82f297c8
SHA1 a0d0f41c43cbf857642ee3029a54c36814d52597
SHA256 84c1925d51c82802d3488ea891c0e74e43f40427cd0c1bed286fff87db65ca60
SHA512 1608e330f715e89fb7d5a051fc66b2ab0b2461ee3e7352d01fc78d5fa20d5f4a35c2222a4cf4e60daa3a54b1e76ec07d41b2b3d22a01dd3b03649823aecbc1e2

memory/5232-2129-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

memory/5232-2130-0x00000000051E0000-0x00000000051E6000-memory.dmp