Malware Analysis Report

2025-01-23 06:49

Sample ID 241105-gny9wswhlp
Target 53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687
SHA256 53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687
Tags
healer redline dozt norm discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687

Threat Level: Known bad

The file 53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687 was found to be: Known bad.

Malicious Activity Summary

healer redline dozt norm discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Redline family

Healer family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 05:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 05:57

Reported

2024-11-05 06:00

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe
PID 560 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe
PID 560 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe
PID 2236 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe
PID 2236 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe
PID 2236 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe
PID 2236 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe
PID 2236 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe
PID 2356 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe C:\Windows\Temp\1.exe
PID 2356 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe C:\Windows\Temp\1.exe
PID 2356 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe C:\Windows\Temp\1.exe
PID 560 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe
PID 560 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe
PID 560 wrote to memory of 5944 N/A C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe

Processes

C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe

"C:\Users\Admin\AppData\Local\Temp\53602992068c02f1b876876e82048b2028aa4344ef8bf7ca79a77ce55ec76687.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2356 -ip 2356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp
FI 77.91.124.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT1995.exe

MD5 8e8d208d3a558dd1b4053a3ed3b53b74
SHA1 cce1bfc33c801b51e36097756b1ff4cdb0d30232
SHA256 88c2a53018aff272c886356ed18ebdb2a63ba01ab482e34f130ffa1a9ffe49e8
SHA512 81a5cf452ec504dcf430b53287618c4acae11cccca0977c4143f14505235866b793bd378e2d871c93af67a6bbe53b5f9edfd8685a5ccbcda85b911e00f107ca3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr946348.exe

MD5 5c6406551fb98bd219daabec4b58db17
SHA1 06ca6eea1bc2c1a429daea2f62ae787e87ad226f
SHA256 668492e115d6b3964598fd2993d9543e4e295310da33f0c329aa82c450fefba5
SHA512 e0519ed1f041894766f610a9b0744726cb07ef556eaaf1f2f0329c6f07b64e6b237c73e142bf8e78272c1cad27ab921dc6dc616330c3250973425d17d2986b64

memory/1008-14-0x00007FFB5B733000-0x00007FFB5B735000-memory.dmp

memory/1008-15-0x0000000000B10000-0x0000000000B1A000-memory.dmp

memory/1008-16-0x00007FFB5B733000-0x00007FFB5B735000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku837247.exe

MD5 25d58b1cb09144eaf0a8b42e696deca9
SHA1 e582eacef2798e597ab58438ee7fbe04e5209e04
SHA256 81381a026539907c2646d27af6c3aa1c21960af62a44aff6c998cb5906b9396a
SHA512 41ae0fe4bfe5d049d769c564c0e8551ce9c5b4aa011dd3377e9c9d5cf402f6e26f771c70c381506b182f7f4f581ab4c17385429e71f363ed996c72315a117a16

memory/2356-22-0x0000000004B80000-0x0000000004BE6000-memory.dmp

memory/2356-23-0x0000000004D70000-0x0000000005314000-memory.dmp

memory/2356-24-0x0000000005320000-0x0000000005386000-memory.dmp

memory/2356-38-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-54-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-88-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-86-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-84-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-82-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-80-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-78-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-74-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-72-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-70-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-68-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-66-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-64-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-60-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-58-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-56-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-52-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-50-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-48-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-46-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-44-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-42-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-40-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-36-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-34-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-33-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-30-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-76-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-62-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-28-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-26-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-25-0x0000000005320000-0x000000000537F000-memory.dmp

memory/2356-2105-0x0000000005540000-0x0000000005572000-memory.dmp

C:\Windows\Temp\1.exe

MD5 1073b2e7f778788852d3f7bb79929882
SHA1 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256 c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA512 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

memory/5728-2118-0x0000000000100000-0x0000000000130000-memory.dmp

memory/5728-2119-0x00000000023B0000-0x00000000023B6000-memory.dmp

memory/5728-2120-0x00000000050E0000-0x00000000056F8000-memory.dmp

memory/5728-2121-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

memory/5728-2122-0x0000000004A70000-0x0000000004A82000-memory.dmp

memory/5728-2123-0x0000000004B00000-0x0000000004B3C000-memory.dmp

memory/5728-2124-0x0000000004B40000-0x0000000004B8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr225995.exe

MD5 2201c7c02501c312113366fe82a91cab
SHA1 5fb61fb20202cae74df85aaf39d8fa47db34db2f
SHA256 a6d5d2aba66b4fcede1137921c9aec826e3943eaf95257ec61603b903582a238
SHA512 92c6ef4bec0efbd91b63b3b51e8beb62a3648f8ae75c36edb3c3ef5ef26b2825cbb9085a82821842a178913667e83060151408cb9220fd1bec14a607d4b57f2d

memory/5944-2129-0x0000000000310000-0x0000000000340000-memory.dmp

memory/5944-2130-0x00000000024F0000-0x00000000024F6000-memory.dmp