Malware Analysis Report

2025-01-23 06:50

Sample ID 241105-g35p8aynhq
Target 1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb
SHA256 1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb

Threat Level: Known bad

The file 1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 06:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 06:20

Reported

2024-11-05 06:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe
PID 2032 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe
PID 2032 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe
PID 4800 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe
PID 4800 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe
PID 4800 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe
PID 4800 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe
PID 4800 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe
PID 1344 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe C:\Windows\Temp\1.exe
PID 1344 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe C:\Windows\Temp\1.exe
PID 1344 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe C:\Windows\Temp\1.exe
PID 2032 wrote to memory of 5960 N/A C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe
PID 2032 wrote to memory of 5960 N/A C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe
PID 2032 wrote to memory of 5960 N/A C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe

"C:\Users\Admin\AppData\Local\Temp\1c81d518f5d4b5659ae54726cc032516f31aad6e43f28c82a3b98ab97d6400fb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1344 -ip 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVN8864.exe

MD5 b51a535744fae322cb0c055c28272c11
SHA1 9f55cf2590f9f6efd1eee9dfa18c8cba3924a11e
SHA256 2eb06ceccc16e98cc8a8e899ea7ba242f4b340dc83b0c0533baa35b13b8fd574
SHA512 55a2b333483d60f20f728843c2622dab71ee7aa9f441c674d76918aab0cc5cb1c5cf44f748ab2f0966a9005ee4a317b979e6cc48ee1668d85cfca57757dbab8d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr055170.exe

MD5 379fb0ae75b5cf365ee0a15c86b4167b
SHA1 80529f6ce2cbbb12507a6d589fb7c16e00f9276d
SHA256 db07ea25cf15f80e4577f9e59f74385f73b98559bf9363c670bfec5e52b32ad2
SHA512 f05aa518cdd64b539a93ca91bed954b67d1c09c6e96207229192e3d7164544a91d45272c3711167382ce1c84309a58e34b35f342eb232147a1b08f8f051e04fe

memory/4604-14-0x00007FFD6CD13000-0x00007FFD6CD15000-memory.dmp

memory/4604-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp

memory/4604-16-0x00007FFD6CD13000-0x00007FFD6CD15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku063939.exe

MD5 97bb1012405a545c4b1c30822f76f295
SHA1 60cccd3ef8384dc4bde0f7a8fd2025450b402468
SHA256 41ab972d819d5d32f05bf1373fdac2324f56ed0a6a43079e4bb2123c28d7e263
SHA512 d05a696f036dc70e64d470ed14c1638e24aa560a42d0fb79090b5615462e449640bd98e7fc8fd076ca8952811525fba8452e39e54808b3bd3adbf2bf78adba9e

memory/1344-22-0x00000000026E0000-0x0000000002746000-memory.dmp

memory/1344-23-0x0000000004C80000-0x0000000005224000-memory.dmp

memory/1344-24-0x0000000004C10000-0x0000000004C76000-memory.dmp

memory/1344-34-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-48-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-89-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-86-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-84-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-82-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-78-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-76-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-74-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-72-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-70-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-66-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-65-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-62-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-60-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-59-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-56-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-54-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-52-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-50-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-46-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-44-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-42-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-40-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-38-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-36-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-32-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-30-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-28-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-80-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-68-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-26-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-25-0x0000000004C10000-0x0000000004C6F000-memory.dmp

memory/1344-2105-0x0000000005400000-0x0000000005432000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/1888-2118-0x00000000009A0000-0x00000000009D0000-memory.dmp

memory/1888-2119-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

memory/1888-2120-0x0000000005930000-0x0000000005F48000-memory.dmp

memory/1888-2121-0x0000000005420000-0x000000000552A000-memory.dmp

memory/1888-2122-0x0000000005330000-0x0000000005342000-memory.dmp

memory/1888-2123-0x0000000005390000-0x00000000053CC000-memory.dmp

memory/1888-2124-0x00000000053D0000-0x000000000541C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr006928.exe

MD5 f96bef5ffb7845e72648f4ded513d3c2
SHA1 61473a34c47087c1cfd67781274ab8b6ad708986
SHA256 7db93f5722f4302463d1afa784f1a56ef2af9cdebdf4b3f9e5f813ecb1103c39
SHA512 42171f9b7898caa4a8b95bd469c3b4ac0fd910c1ef93d8743804a5b4851fdb12c494d98e0ca020ef18bc08f43c30bd91a34aac305227fa0194538b523b2cce43

memory/5960-2129-0x0000000000520000-0x0000000000550000-memory.dmp

memory/5960-2130-0x0000000002770000-0x0000000002776000-memory.dmp