Malware Analysis Report

2025-01-23 06:44

Sample ID 241105-fnthzavflg
Target 0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65
SHA256 0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65

Threat Level: Known bad

The file 0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

Healer family

Windows security modification

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 05:01

Reported

2024-11-05 05:04

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe
PID 2360 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe
PID 2360 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe
PID 3636 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe
PID 3636 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe
PID 3636 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe
PID 3636 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe
PID 3636 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe
PID 848 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe C:\Windows\Temp\1.exe
PID 848 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe C:\Windows\Temp\1.exe
PID 848 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe C:\Windows\Temp\1.exe
PID 2360 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe
PID 2360 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe
PID 2360 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe

"C:\Users\Admin\AppData\Local\Temp\0bb54f15c8ef5f28ee0543d657b411fbaed7008ee03c541dc05710480d403a65.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 848 -ip 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1336

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr2393.exe

MD5 2fb0a985e2d05065fb94b0b60e96a945
SHA1 21b846659ecfdbaf34a8de27cbf876c493b5c5d6
SHA256 ca0cbf159c676dc781e9038d7c4de6f9b381867b89e32c49a5e1219b74e319a0
SHA512 2d1a1b795bd4b257b91e696446927a8c056e231bf5f33942ca9ffcfe5f76e043d4639377176e650e735ed4a48409fb8c90ea5058ca4384669122181f04656add

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr221406.exe

MD5 94beefa2f50f14cb5162a2ba8ca2f30f
SHA1 08adc18ac0f37c3ceff669797cd1a766d6f5ec08
SHA256 100137d49e27c94b0867fa165355f22e3938c7c61e7588d29525aa8ebf9ad918
SHA512 3296c20f662d657f2ac43f1b3ae237b8ddb5e06b717183edbf2e84cb8f09150ceb4370b3f1c44423190b8ea6b1222b70da41d07979b90807594b6d8c4456a8f2

memory/2736-14-0x00007FFA0FE23000-0x00007FFA0FE25000-memory.dmp

memory/2736-15-0x0000000000340000-0x000000000034A000-memory.dmp

memory/2736-16-0x00007FFA0FE23000-0x00007FFA0FE25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku464093.exe

MD5 2c7add92e682bbef68600638c753e696
SHA1 aa0d226f7fb13e2996fa057b4fffe6837f118404
SHA256 fa6f7047f823b969bdc9424909c3ba27e523cdcd4f8494f00bbad4306f0ac643
SHA512 42582257ba0baa9e4ff2fc362029909fdbbd3fb4a15ea2f40d25a93623b0f2b774fbd938921792e352a2d1b41276f2738c8596f3647d6b6f8e6cbaf7e2a19adb

memory/848-22-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/848-23-0x0000000004D90000-0x0000000005334000-memory.dmp

memory/848-24-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/848-88-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-86-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-84-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-82-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-80-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-78-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-74-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-72-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-70-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-68-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-66-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-62-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-60-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-58-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-56-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-54-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-52-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-50-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-46-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-44-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-42-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-40-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-36-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-34-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-32-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-30-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-29-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-76-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-64-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-49-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-38-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-26-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-25-0x0000000005340000-0x000000000539F000-memory.dmp

memory/848-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/6096-2118-0x0000000000900000-0x0000000000930000-memory.dmp

memory/6096-2119-0x00000000029F0000-0x00000000029F6000-memory.dmp

memory/6096-2120-0x00000000058C0000-0x0000000005ED8000-memory.dmp

memory/6096-2121-0x00000000053B0000-0x00000000054BA000-memory.dmp

memory/6096-2122-0x0000000005270000-0x0000000005282000-memory.dmp

memory/6096-2123-0x00000000052E0000-0x000000000531C000-memory.dmp

memory/6096-2124-0x0000000005330000-0x000000000537C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr586258.exe

MD5 d6064609fc23e14d9d4727d293a70ba6
SHA1 f6f2a1f34d9833851255be235544ebe4df2e95c3
SHA256 3bff9af6eb255f4afa6f9b3435190146ea8c9b1f0b822169462908c2df34eaf9
SHA512 74feb37c801dba3ab9e8392cd97130e0c276a0096abc022b2822e78f9c3e83c62b7ce781790d4f34baefda57752bf0e0cacf7c4eccec380ef323395c1edeeae8

memory/2176-2129-0x0000000000700000-0x0000000000730000-memory.dmp

memory/2176-2130-0x0000000004FE0000-0x0000000004FE6000-memory.dmp