Malware Analysis Report

2025-01-23 06:43

Sample ID 241105-fpyjbaxpbq
Target c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced
SHA256 c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced

Threat Level: Known bad

The file c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

Redline family

Detects Healer an antivirus disabler dropper

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 05:03

Reported

2024-11-05 05:06

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe
PID 4196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe
PID 4196 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe
PID 1968 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe
PID 1968 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe
PID 1968 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe
PID 1968 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe
PID 1968 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe
PID 816 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe C:\Windows\Temp\1.exe
PID 816 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe C:\Windows\Temp\1.exe
PID 816 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe C:\Windows\Temp\1.exe
PID 4196 wrote to memory of 5492 N/A C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe
PID 4196 wrote to memory of 5492 N/A C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe
PID 4196 wrote to memory of 5492 N/A C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe

"C:\Users\Admin\AppData\Local\Temp\c8bb74f93b4ab991ca87a9fa2f2359637c81aaadde934ec0d051f3d1b4584ced.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqb5573.exe

MD5 758a0233a1f52aff0dd018ba67fb6d77
SHA1 e471fcf2396915effb9f4f0d06f8292a05b609d7
SHA256 e481742242867a1150825e7752d439f7fdbfb1a38b43d0d9fa1f501f57baa43f
SHA512 dfdd1d39d256c11a765368c0d1aa64b27709b1da74a13b1e7b70148c21e1db9bde84a5990ee7251468a8f41beb40ac5a0acdfe62d79901fccd08abcb3c193cd9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927248.exe

MD5 e432e176ad38b37b20fb6b21688061c1
SHA1 dd07a5f121aa02072e5fb6b166c95699851657f4
SHA256 32b019ffaa5797ad44ba630ccffff6dad97ef111d6c3844948d7be7fb6771892
SHA512 c29c2b02ae24eae70d15a149ad9a593a0daec5763227380de0e5dd631959e435939966ff31629cbc906ed1524bb638677a759a7c3f0551d13a8bee8bb753de26

memory/2000-14-0x00007FF9A4553000-0x00007FF9A4555000-memory.dmp

memory/2000-15-0x0000000000280000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku255972.exe

MD5 52aa7338d77455ca1e95c9fecfb283c2
SHA1 12a494e1a3edd31297e7a5696c9dfbf0357869eb
SHA256 a7b8e048606fb2fe9bee60e041aace29a7c2847715cab710a2f29e1a95d4fb72
SHA512 bef75ae29081cdc966290d1a98e1824489cdb2961a0bb946be50d8f32021cfec58db983392633792f8d73390abc3da115114ce86e3d9cd2ea2feb32aa23611de

memory/816-21-0x0000000002800000-0x0000000002866000-memory.dmp

memory/816-22-0x0000000004DA0000-0x0000000005344000-memory.dmp

memory/816-23-0x0000000004D30000-0x0000000004D96000-memory.dmp

memory/816-41-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-39-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-87-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-85-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-83-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-81-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-77-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-75-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-73-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-71-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-69-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-67-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-65-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-61-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-59-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-57-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-55-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-53-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-51-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-49-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-47-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-45-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-43-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-37-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-35-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-33-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-31-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-29-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-79-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-63-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-27-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-25-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-24-0x0000000004D30000-0x0000000004D8F000-memory.dmp

memory/816-2104-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5280-2117-0x0000000000230000-0x0000000000260000-memory.dmp

memory/5280-2118-0x0000000002310000-0x0000000002316000-memory.dmp

memory/5280-2119-0x00000000051C0000-0x00000000057D8000-memory.dmp

memory/5280-2120-0x0000000004CB0000-0x0000000004DBA000-memory.dmp

memory/5280-2121-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

memory/5280-2122-0x0000000004C20000-0x0000000004C5C000-memory.dmp

memory/5280-2123-0x0000000004C60000-0x0000000004CAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr373389.exe

MD5 0056b1177791ed5fa12c3e5ba214f2a3
SHA1 04079e6afa26599fd1d00def5ce2062a1ba028bc
SHA256 0b8307c693b857c694a4775a1009ef18a758949b0bd834149fca508977d20660
SHA512 51f2e7ecf5f316a6894660963f614961cd08cc8b5203fd421f680dafdb6423371d21a9cb33ed78c56b489367908736f42f85d845de3c6e86b192fc4838f6b378

memory/5492-2128-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

memory/5492-2129-0x00000000013B0000-0x00000000013B6000-memory.dmp