Malware Analysis Report

2025-01-23 06:49

Sample ID 241105-bnwwwa1je1
Target 7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328
SHA256 7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328

Threat Level: Known bad

The file 7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer family

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Redline family

Healer

RedLine payload

Executes dropped EXE

Windows security modification

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 01:17

Reported

2024-11-05 01:20

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe
PID 3364 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe
PID 3364 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe
PID 1084 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe
PID 1084 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe
PID 1084 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe
PID 1084 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe
PID 1084 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe
PID 1488 wrote to memory of 6692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe C:\Windows\Temp\1.exe
PID 1488 wrote to memory of 6692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe C:\Windows\Temp\1.exe
PID 1488 wrote to memory of 6692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe C:\Windows\Temp\1.exe
PID 3364 wrote to memory of 6904 N/A C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe
PID 3364 wrote to memory of 6904 N/A C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe
PID 3364 wrote to memory of 6904 N/A C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe

"C:\Users\Admin\AppData\Local\Temp\7ff2aeec8c3810bd9ea17a58362230756aaaee151e8d07b01146c36f64763328.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidR8689.exe

MD5 14f9619adcb5baf1e03e8bba22560e3c
SHA1 79051b8b5c5291a7940c9a050019a42dfb7d690e
SHA256 18892464729d99c957424a44cd3f4b3e7607d4cd4742774a1e4c92c0e17408f5
SHA512 1f3faf31272368251128ae8fffc21da1849ee1f0c9df3f735f677c216731e87fa6a64f6cd3f033f8d849d68fdfe520b17bb889cec43c69da6a12896ef987b504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr510673.exe

MD5 b0ef59c7ee273bf901a526a871145e7d
SHA1 2b41b0b7963e72771a40343864b6a4a6af0ef4af
SHA256 cecca4676de5f90d4386e33f74ab745614252cb7927e8c5e0facfe193e54b9f0
SHA512 d3895715d1eb4552b3095b653de27d320e4c3f9c438bec6d5e846a971dedc508b467617900286932f9c24820a89ae521dadd91e428a1cf6c830e7df14eb3937f

memory/3540-14-0x00007FF896E63000-0x00007FF896E65000-memory.dmp

memory/3540-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

memory/3540-16-0x00007FF896E63000-0x00007FF896E65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku763619.exe

MD5 b2a92ecdaa070bb49d8af09c57a201cf
SHA1 ad3c21d3342d5231c44f8522109513f39bc41841
SHA256 40740f95d3481044d95d2ff664142ba91d25cf367e79ee41de44ddc4dcaa3c65
SHA512 78a40ef56fe11ec2e2cdd02762d1b297f7f680c567b156b3ae3688e71b9cab471728bf1dc6aa0ecff8c1c26057f0eed27e8dce7da06c059fa17ba6fdb401a451

memory/1488-22-0x00000000025B0000-0x0000000002616000-memory.dmp

memory/1488-23-0x0000000004CE0000-0x0000000005284000-memory.dmp

memory/1488-24-0x0000000004C20000-0x0000000004C86000-memory.dmp

memory/1488-46-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-44-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-88-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-86-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-84-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-82-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-80-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-76-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-74-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-72-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-70-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-68-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-66-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-64-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-60-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-58-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-56-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-54-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-52-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-50-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-48-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-43-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-40-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-38-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-36-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-34-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-32-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-30-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-28-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-78-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-62-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-26-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-25-0x0000000004C20000-0x0000000004C7F000-memory.dmp

memory/1488-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/6692-2118-0x0000000000110000-0x0000000000140000-memory.dmp

memory/6692-2119-0x0000000000890000-0x0000000000896000-memory.dmp

memory/6692-2120-0x0000000005120000-0x0000000005738000-memory.dmp

memory/6692-2121-0x0000000004C10000-0x0000000004D1A000-memory.dmp

memory/6692-2122-0x0000000004980000-0x0000000004992000-memory.dmp

memory/6692-2123-0x0000000004B00000-0x0000000004B3C000-memory.dmp

memory/6692-2124-0x0000000004B40000-0x0000000004B8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr908848.exe

MD5 94a65fdc965bc3f25db8c82d1ad09edb
SHA1 fe44beb0b33f448380d0391a5cd47fad0158128c
SHA256 71c68dcc5a07eec0c3300e4a06c949b84a4cc8be62fb6725f398a4366587bc54
SHA512 737ba4376d46a0f936dbd18df2beb05977383781b6e26202e9ce36e39d5eaf1f44511c18ccb3e96e0fe6a193a1bf12e99ad164d30daae23a2e864042080d0907

memory/6904-2129-0x0000000000B40000-0x0000000000B70000-memory.dmp

memory/6904-2130-0x0000000002E30000-0x0000000002E36000-memory.dmp