Malware Analysis Report

2025-01-23 06:44

Sample ID 241105-bmmlta1epe
Target 873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27
SHA256 873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27

Threat Level: Known bad

The file 873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Executes dropped EXE

Checks computer location settings

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 01:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 01:15

Reported

2024-11-05 01:18

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe
PID 4788 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe
PID 4788 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe
PID 3620 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe
PID 3620 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe
PID 3620 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe
PID 3620 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe
PID 3620 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe
PID 1584 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe C:\Windows\Temp\1.exe
PID 1584 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe C:\Windows\Temp\1.exe
PID 1584 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe C:\Windows\Temp\1.exe
PID 4788 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe
PID 4788 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe
PID 4788 wrote to memory of 5860 N/A C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe

Processes

C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe

"C:\Users\Admin\AppData\Local\Temp\873029213d332ae4b88106ee1033e3dd975457e246b6027cde837e8b65483e27.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidB8089.exe

MD5 716c5336e925d80c37b8357262043dfb
SHA1 949834b9cbc6f5ba0253fa2644c1efaf81594a93
SHA256 e89cac2955c6392f8b11a2893c414087062d52ef0e24bddb33eb4f7c77525684
SHA512 dfcb0d05223e2821695200f18b34411e3f5f2d89d81199d0d30c62dcc807be904927c20038a123893a966628853ccd814d09289e0619b4c021de5e00480bcc93

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr301776.exe

MD5 68a10ca503d060e0aa1b483e239b333b
SHA1 9e5f2b135c7d336044a031eec3465463e2a9fbb2
SHA256 2d554818d8f1aee9c7ddccb2ca9b065ec4a8d546e6de4f161cec109a4daa2ae5
SHA512 f91b4572bd1eafc25211aea6eee2e675eb3fb3dfe342dfb92f28af07eea382b6a38945cf45b2157a2a9298f0a1a74a734361aba38f595d50bb6df16345d00402

memory/2080-14-0x00007FFBE8773000-0x00007FFBE8775000-memory.dmp

memory/2080-15-0x0000000000620000-0x000000000062A000-memory.dmp

memory/2080-16-0x00007FFBE8773000-0x00007FFBE8775000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku594548.exe

MD5 26882e1b79806026d2479ccc24b93c49
SHA1 ff5cfd474738e72c4313efa0d50801eb404f8b84
SHA256 f7fa74005b18fa892de542131d8652a0fc1fe901ac7cdf2ef4fe616658a126b1
SHA512 10367d8224758f1a9b20d81c7739804c1b75a9012af4556d262dab23e25e9067f5b150e53dc9fb8f8a79ee88da1ec7876b99b74fe341806c43f462d2bffcc69b

memory/1584-22-0x00000000026B0000-0x0000000002716000-memory.dmp

memory/1584-23-0x0000000004E40000-0x00000000053E4000-memory.dmp

memory/1584-24-0x0000000002850000-0x00000000028B6000-memory.dmp

memory/1584-26-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-46-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-88-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-86-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-84-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-82-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-80-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-78-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-76-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-74-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-72-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-70-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-66-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-64-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-62-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-60-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-58-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-54-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-52-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-50-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-48-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-44-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-42-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-40-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-38-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-36-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-34-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-32-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-30-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-28-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-68-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-56-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-25-0x0000000002850000-0x00000000028AF000-memory.dmp

memory/1584-2105-0x00000000028B0000-0x00000000028E2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/4304-2118-0x0000000000E10000-0x0000000000E40000-memory.dmp

memory/4304-2119-0x00000000055F0000-0x00000000055F6000-memory.dmp

memory/4304-2120-0x0000000005DE0000-0x00000000063F8000-memory.dmp

memory/4304-2121-0x00000000058D0000-0x00000000059DA000-memory.dmp

memory/4304-2122-0x0000000005680000-0x0000000005692000-memory.dmp

memory/4304-2123-0x0000000005800000-0x000000000583C000-memory.dmp

memory/4304-2124-0x0000000005840000-0x000000000588C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr690535.exe

MD5 2e63ae37126055c253f03c01c28624ab
SHA1 fc09d733d67a980ce61c9584b0d864c24df90dcc
SHA256 63f362be33163235de7f7a91100bb0feee5cc486f841928c1a872cde9be85fed
SHA512 52bce709d688eee87a4b2546e94ba107f9ae115d8b9b8d12ba3772965c798abd3a6a25bfa22bf3e782c179e7b0695e655c4caa2000bd0b7121469b1bf3f9de2b

memory/5860-2129-0x0000000000620000-0x0000000000650000-memory.dmp

memory/5860-2130-0x00000000026C0000-0x00000000026C6000-memory.dmp